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Abstract 


This document specifies three new cipher suites, two new signature algorithms, seven new 
supported groups, and two new certificate types for the Transport Layer Security (TLS) protocol 
version 1.2 to support the Russian cryptographic standard algorithms (called "GOST" algorithms). 
This document specifies a profile of TLS 1.2 with GOST algorithms so that implementers can 
produce interoperable implementations. 


This specification facilitates implementations that aim to support the GOST algorithms. This 
document does not imply IETF endorsement of the cipher suites, signature algorithms, supported 
groups, and certificate types. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is published for informational 
purposes. 


This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor 
has chosen to publish this document at its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by the RFC Editor are not 
candidates for any level of Internet Standard; see Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and howto provide feedback 
on it may be obtained at https://www.rfc-editor.org/info/rfc9189. 
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1. Introduction 


This document specifies three new cipher suites, two new signature algorithms, seven new 
supported groups, and two new certificate types for the Transport Layer Security (TLS) protocol 
version 1.2 [RFC5246] (note that [RFC5246] has been obsoleted by [RFC8446] ) to support the set of 
Russian cryptographic standard algorithms (called "GOST" algorithms). This document specifies a 
profile of TLS 1.2 with GOST algorithms so that implementers can produce interoperable 
implementations. The profile of TLS 1.2 with GOST algorithms uses the hash algorithm GOST R 
34.11-2012 [RFC6986], the signature algorithm GOST В 34.10-2012 [RFC7091], and two types of 
cipher suites: the СТЕ OMAC and the CNT_IMIT. 


The CTR_OMAC cipher suites use the GOST R 34.12-2015 (see [RFC7801] and [RFC8891]) block 
ciphers. 


The CNT IMIT cipher suite uses the GOST 28147-89 [RFC5830] block cipher. 


This document specifies the profile of the TLS protocol version 1.2 with GOST algorithms. The 
profile of the TLS protocol version 1.3 [RFC8446] with GOST algorithms is specified in a separate 
document [DraftGostTLS13]. 


This specification facilitates implementations that aim to support the GOST algorithms. This 
document does not imply IETF endorsement of the cipher suites, signature algorithms, supported 
groups, and certificate types. 


2. Conventions Used in This Document 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", 
"RECOMMENDED", "NOT RECOMMENDED", "МАУ", and "OPTIONAL" in this document are to be 
interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 
capitals, as shown here. 


3. Basic Terms and Definitions 


This document follows the terminology from [RFC8446bis] for "preliminary secret" and 
"extended main. secret". 


This document uses the following terms and definitions for the sets and operations on the 
elements of these sets: 
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the set of byte strings of length t, t >= 0. Fort = 0, the B t set consists of a single empty 
string of zero length. If Ais an element of B t, then A = (a 1,а 2,..,a t), wherea 1,a 2, 
..,8 tarein (0, ..., 255}. 


the set of all byte strings of a finite length (hereinafter referred to as "strings"), 
including the empty string. 


the string АП. = (а i, a_{i+1}, ..., a_j) in В {]-1+1), where A = (a 1,..,а О in B_t and 
1<=i<=j<=t. 


the length of the byte string A in bytes. 


concatenation of strings A and C both belonging to B* i.e. a string in B_{L(A)+L(O)}, 
where the left substring in В ІА) is equal to A and the right substring in В Т.С) is equal 
to C. 


bitwise exclusive-or of byte strings A and C both belonging to B t (both are oflengtht 
bytes), i.e, a string іп B t suchthatifA-(a 1,а 2,..,a t) andC-(c 1,с 2,..,c t), then A 
ХОК С = (а 1 (хог) с 1,а 2 (xor) с 2,..,a ї (хог) c 1), where (xor) is bitwise exclusive-or 
of bytes. 


bitwise AND of unsigned integers i and j. 


the transformation that maps an integeri- 25681 * i 1+..+256“1 {t-1} +1 tinto the 
byte string STR t(i) 0 1, ..., it) in B t (the interpretation of the integer as a byte string 
in big-endian format). 


the transformation that maps an integeri- 25601 * it+..+256*i2+i1into the byte 
string str t(i) = (i 1,...,1 t) in B t (the interpretation of the integer as a byte string in 
little-endian format). 


the transformation that maps a string a = (a 1,..,a t)inB tinto the integer INT(a) = 


2561 * а 1+..+256*a_{t-1} + a t (the interpretation of the byte string in big-endian 
format as an integer). 


the transformation that maps a string a = (a 1,..,а t)inB tinto the integer int(a) = 


2561 * at-*..*256*a 2ға 1(theinterpretation of the byte string in little-endian 
format as an integer). 


the length of the block cipher key in bytes. 

the length of the block cipher block in bytes. 
the public key stored in the client's certificate. 
the private key that corresponds to the Q c key. 
the public key stored in the server's certificate. 


the private key that corresponds to the Q s key. 
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q_s an order of a cyclic subgroup of the elliptic curve points group containing point Q s. 

Р 8 the distinguished generator of the subgroup of order q s that belongs to the same curve 
as 0 s. 

rc the random string contained in the ClientHello.random field (see [RFC5246]). 

rs the random string contained in the ServerHello.random field (see [RFC5246]). 


4. Cipher Suite Definitions 
This document specifies the СТЕ ОМАС cipher suites and the CNT_IMIT cipher suite. 


The CTR_OMAC cipher suites have the following values: 


TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC = (0xC1, 0х00); 
TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC = {@xC1, 0x01}. 


The CNT_IMIT cipher suite has the following value: 


TLS_GOSTR341112_256_WITH_28147_CNT_IMIT = {@xC1, 0х02). 


4.1. Record Payload Protection 
The profile of TLS 1.2 with GOST algorithms requires that the compression not be used. 


All of the cipher suites described in this document use such modes of operation (see Section 4.3.3) 
that protect the records in the same way as if they were protected by a stream cipher. The 
TLSCiphertext structure for Ше СТЕ OMAC and СМТ IMIT cipher suites is specified in accordance 
with the standard stream cipher case (see Section 6.2.3.1 of [RFC5246]): 


struct { 
ContentType type; 
ProtocolVersion version; 
uint16 length; 
GenericStreamCipher fragment; 
} TLSCiphertext; 


where TLSCiphertext.fragment is generated in accordance with Section 4.1.1 when the СТК ОМАС 
cipher suites are used and Section 4.1.2 when the CNT_IMIT cipher suite is used. 


The connection key material is a key material that consists of the sender_write_key (either the 
client write key or the server write key), the sender write MAC key (either the 

client write MAC key orthe server write MAC key), and the sender write IV (either the 

client write IV orthe server write IV) parameters that are generated in accordance with Section 
6.3 of [RFC5246]. 
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The record key material 15 a key material that is generated from the connection key material and 
is used to protect a record with a certain sequence number. Note that with some cipher suites 
defined in this document, the record key material сап be equal to the connection key material. 


In this section, the TLSCiphertext.fragment generation is described for one particular endpoint 
(server or client) with the corresponding connection key material and record key material. 


4.1.1. СТК ОМАС 


Іп the СТЕ ОМАС cipher suites, the record key material differs from the connection key material, 
and for the seqnum sequence number consists of: 


K_ENC_seqnum in В К; 
K_MAC_seqnum in B_k; and 


ТУ ведпит in B_{n/2}. 


The K ENC seqnum and K MAC seqnum values are calculated using the TLSTREE function 
defined in Section 8.1, the connection key material, and the seqnum sequence number. 


IV seqnum is calculated by adding the seqnum value to sender write IV modulo 2(/2)*8. 


КО ЕМС. seqnum = TLSTREE(sender. write key, seqnum); 
К МАС seqnum = TLSTREE(sender. write. MAC. key, seqnum); апа 


IV_seqnum = STR. (n/2) ((INT(sender. write. IV) + seqnum) 
mod 2^(((n/2)*8)). 


The TLSCiphertext.fragment that corresponds to the seqnum sequence number is calculated as 
follows: 


1. The MACValue seqnum value is generated using the Message Authentication Code (MAC) 
algorithm (see Section 4.3.2) similar to Section 6.2.3.1 of [RFC5246], except the 
sender write MAC key is replaced by the K MAC seqnum key: 


MACValue_seqnum = МАС(К MAC. seqnum, STR. 8(seqnum) | type.seqnum | 
version.seqnum | length.seqnum | fragment seqnum), 


where type seqnum, version seqnum, length seqnum, and fragment seqnum are the 
TLSCompressed.type, TLSCompressed version, TLSCompressed.length, and 
TLSCompressed.fragment values of the record with the seqnum sequence number. 


2. The entire data with the MACValue is encrypted with the ENC stream cipher (see Section 4.3.3): 


ENCValue_seqnum = ЕМС(К ENC.seqnum, IV seqnum, fragment, seqnum | 
MACValue.seqnum), 
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where fragment_seqnum is the TLSCompressed.fragment value of the record with the seqnum 
sequence number. 

3. The fields of the GenericStreamCipher structure (see Section 6.2.3.1 ої [RFC5246]) for the 
TLSCiphertext.fragment value are defined by the ENCValue_seqnum value: 


TLSCiphertext.fragment.content = 
ENCValue_seqnum[1..length_seqnum], 


TLSCiphertext.fragment.MAC = ENCValue. seqnum[length. seqnum + 
1..length_seqnum + тас length], 


where length seqnum is the TLSCompressed.length value of the record with the seqnum 
sequence number and mac length is equalto 16 for the 

TLS GOSTR341112 256 WITH KUZNYECHIK СТЕ OMAC cipher suite and 8 for the 

TLS GOSTR341112 256 WITH MAGMA CTR OMAC cipher suite. 


Note that the СТЕ OMAC cipher suites use the authenticate-then-encrypt method (see Appendix Е 
4 of [RFC5246]). Since these ciphers are functioning as stream ciphers, the authenticate-then- 
encrypt method is secure, and as specified by [RFC7366], the server that selects the СТЕ OMAC 
ciphers MUST NOT send an encrypt then mac extension to the client. 


4.1.2. CNT IMIT 


In the CNT IMIT cipher suite, the record key materialis equalto the connection key material and 
consists of: 


sender write key in В К; 
sender write MAC key in В k; and 


sender write IV in B.n. 


The TLSCiphertext.fragment that corresponds to the seqnum sequence number is calculated as 
follows: 


1. The MACValue seqnum value is generated by the MAC algorithm (see Section 4.3.2) as follows: 


MACValue.seqnum = MAC(sender. write MAC key, STR.8(0) | type. 0 | 
version.0 | length. 0 | fragment. 8 | ... | STR_8(seqnum) | 
type.seqnum | version_seqnum | length. seqnum | fragment seqnum), 


where type i, version 1, length i, fragment i, andiin (0,..., seqnum] are the 
TLSCompressed.type, TLSCompressed version, TLSCompressed.length, and 
TLSCompressed.fragment values of the record with the i sequence number. 


Due to the use of the mode based on Cipher Block Chaining MAC (CBC-MAC) (see Section 4.3.2), 
producing the MACValue seqnum value does not mean processing all previous records. It is 
enough to store only an intermediate internal state of the MAC algorithm. 
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2. The entire data with the MACValue is encrypted with the ENC stream cipher (see Section 4.3.3): 


ENCValue_@ | ... | ENCValue_seqnum = ENC(sender_write_key, 
sender write IV, fragment 0 | MACValue_@ | ... | fragment_seqnum | 
MACValue.seqnum), 


where the length of the byte string ENCValue i in bytes is equal to the length of the byte string 
(fragment i | MACValue i) in bytes andi in 10, ..., seqnum]. 

Due to the use of the stream cipher (see Section 4.3.3), producing the ENCValue seqnum value 
does not mean processing all previous records. It is enough to store only an intermediate 
internal state of the ENC stream cipher. 


3. The fields of the GenericStreamCipher structure (see Section 6.2.3.1 of [RFC5246]) for the 
TLSCiphertext.fragment value are defined by the ENCValue seqnum value: 


TLSCiphertext.fragment.content - 
ENCValue_seqnum[1..length_seqnum], 


TLSCiphertext.fragment.MAC = ENCValue. seqnum[length. seqnum + 


1..length_seqnum + тас length], 


where length seqnum is the TLSCompressed.length value of the record with the seqnum 
sequence number, and mac length is equal to 4. 


Note that the СМТ IMIT cipher suite uses the authenticate-then-encrypt method (see Appendix Е4 
of [RFC5246]). Since this cipher is functioning as a stream cipher, the authenticate-then-encrypt 
method is secure, and as specified by [RFC7366], the server that selects the СМТ ІМІТ cipher MUST 
NOT send an encrypt then mac extension to the client. 


4.2. Key Exchange and Authentication 


The cipher suites defined in this document use a key encapsulation mechanism based on Diffie- 
Hellman to share the TLS preliminary secret. 
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Client Server 
ClientHello  ----- > 
ServerHello 
Certificate 
CertificateRequest* 
<-------- ServerHelloDone 
Certificate* 
ClientKeyExchange 
CertificateVerify* 
| ChangeCipherSpec] 
Finished | ..,  ------- » 
(СһапдеСірһег5рес | 
<-------- Finished 
Application Data <------- > Application Data 


Figure 1: Message Flow for a Full Handshake 
Notes for Figure 1: 


1."*" indicates optional messages that are sent for the client authentication. 


2. To help avoid pipeline stalls, ChangeCipherSpec is an independent TLS protocol content type 
and is not actually a TLS handshake message. 


Figure 1 shows all messages involved in the TLS key establishment protocol (full handshake). A 
ServerKeyExchange MUST NOT be sent (the server's certificate contains enough data to allow the 
client to exchange the preliminary secret). 


The server side of the channel is always authenticated; the client side is optionally authenticated. 
The server is authenticated by proving that it knows the preliminary secret that is encrypted with 
the public key Q_s from the server's certificate. The client is authenticated via its signature over 
the handshake transcript. 


In general, the key exchange process for both the СТЕ ОМАСала CNT_IMIT cipher suites consists 
of the following steps: 


1. The client generates the ephemeral key pair (d_eph, Q_eph) that corresponds to the server's 
public key Q s stored in its certificate. 

2. The client generates the preliminary secret PS. The PS value is chosen from В 32 at random. 

3. Using д eph and Q s,the client generates the export key material (see Sections 4.2.4.1 and 
4.2.4.2) for the particular key export algorithm (see Sections 8.2.1 and 8.2.2) to generate the 
export representation PSExp of the PS value. 

4. The client sends its ephemeral public key Q eph and PSExp value in the ClientKeyExchange 
message. 

5. Using its private key d s, the server generates the import key material (see Sections 4.2.4.1 
and 4.2.4.2) for the particular key import algorithm (see Sections 8.2.1 and 8.2.2) to extract the 
preliminary secret PS from the export representation PSExp. 
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This section specifies the data structures and computations used by the profile of TLS 1.2 with 
GOST algorithms. The specifications for the ClientHello, ServerHello, Server Certificate, 
CertificateRequest, ClientKeyExchange, CertificateVerify, and Finished handshake messages are 
described in further detail below. 


4.2.1. Hello Messages 


The ClientHello message is generated in accordance with Section 7.4.1.2 of [RFC5246] and must 
meet the following requirements: 


“Тһе ClientHello.compression_methods field MUST contain exactly one byte, set to zero, which 
corresponds to the "null" compression method. 

“Тһе ClientHello.extensions field MUST contain the signature_algorithms extension (see 
[RFC5246]). 


If the negotiated cipher suite is one of СТЕ OMAC/CTR ІМІТ and the signature algorithms 
extension in the ClientHello message does not contain the values defined in Section 5, the 
server MUST either abort the connection or ignore this extension and behave as if the client 
had sent the signature algorithms extension with the values (8, 64) and (8, 65). 


The ServerHello message is generated in accordance with Section 7.4.1.3 of [RFC5246] and must 
meet the following requirements: 


* The ServerHello.compression method field MUST contain exactly one byte, set to zero, which 
corresponds to the "null" compression method. 


* The ServerHello.extensions field MUST NOT contain the encrypt then mac extension (see 
[RFC7366]). 


4.2.2. Server Certificate 


This message is used to authentically convey the server's public key Q_s to the client and is 
generated in accordance with Section 7.4.2 of [RFC5246]. 


Upon receiving this message, the client validates the certificate chain, extracts the server's public 
key, and checks that the key type is appropriate for the negotiated key exchange algorithm. (A 
possible reason for a fatal handshake failure is that the client's capabilities for handling elliptic 
curves and point formats are exceeded). 


4.2.3. CertificateRequest 
This message is sent by the server when requesting client authentication and is generated in 


accordance with Section 7.4.4 of [RFC5246]. 


If the СТЕ ОМАС or CNT_IMIT cipher suite is negotiated, the CertificateRequest message MUST 
meet the following requirements: 


* the CertificateRequest.supported_signature_algorithm field MUST contain only signature/ 
hash algorithm pairs with the values (8, 64) or (8, 65) defined in Section 5; 


* the CertificateRequest.certificate types field MUST contain only the gost_sign256 (67) or 
gost sign512 (68) values defined in Section 7. 
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4.2.4. ClientKeyExchange 


The ClientKeyExchange message is defined as follows: 


enum 4 уко kdf gost, vko_gost ) KeyExchangeAlgorithm; 


struct 4 
select (KeyExchangeAlgorithm) ( 
case уКо kdf. gost: GostKeyTransport; 
case уКо gost: TLSGostKeyTransportBlob; 
) exchange keys; 
) ClientKeyExchange; 


The body of the ClientKeyExchange message consists of а GostKeyTransport/ 
TLSGostKeyTransportBlob structure that contains an export representation of the preliminary 
secret PS. 


The GostKeyTransport structure corresponds to the СТЕ OMAC cipher suites and is described in 
Section 4.2.4.1, and the TLSGostKeyTransportBlob structure corresponds to the CNT IMIT cipher 
suite and is described in Section 4.2.4.2. 


The DER encoding rules are used to encode the GostKeyTransport and the 
TLSGostKeyTransportBlob structures. 


4.2.4.1. CTR OMAC 


In the СТЕ OMAC cipher suites, the body of the ClientKeyExchange message consists of the 
GostKeyTransport structure that is defined below. 


The client generates the ClientKeyExchange message in accordance with the following steps: 
1. Generates the ephemeral key pair (Q eph, d, eph), where: 


d eph is chosen from (1, ... , q.s - 1) at random; 


Q_eph = а eph * P.s. 


2. Generates the preliminary secret PS, where PS is chosen from B 32at random. 


3. Generates export keys (K EXP MACand K EXP ENC) using the KEG algorithm defined in 
Section 8.3.1: 


Н = HASH(r_c | г.5); 


К EXP. MAC | K EXP. ЕМС = KEG(d. eph, Q.s, Н). 


4. Generates an export representation PSExp of the preliminary secret PS using the KExp15 
algorithm defined in Section 8.2.1: 
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IV = H[25..24 + п / 2]; 


PSExp = KExp15(PS, K_EXP_MAC, K_EXP_ENC, IV). 


5. Generates the ClientKeyExchange message using the GostKeyTransport structure that is 
defined as follows: 


GostKeyTransport ::- SEQUENCE ( 
keyExp OCTET STRING, 
ephemeralPublicKey SubjectPublicKeyInfo, 
ukm OCTET STRING OPTIONAL 

) 

SubjectPublicKeyInfo ::= SEQUENCE 4 
algorithm AlgorithmIdentifier, 
subjectPublicKey BIT STRING 

) 

AlgorithmIdentifier ::= SEQUENCE 4 
algorithm OBJECT IDENTIFIER, 
parameters ANY OPTIONAL 


where the keyExp field contains the PSExp value, the ephemeralPublicKey field contains the 
Q eph value, and the ukm field MUST be ignored by the server. 


Upon receiving the ClientKeyExchange message, the server process is as follows. 


1. The following three conditions are checked. If any of these checks fail, then the server MUST 
abort the handshake with an alert. 
ი დ eph belongs to the same curve as server public key Q_s; 


90 ephis not equal to zero point; 
eqs*Q ephisequalto zero point. 


2. The export keys (Қ EXP MAC and K EXP ЕМС) are generated using the KEG algorithm defined 
in Section 8.3.1: 


Н = HASH(r_c | г.5); 
К EXP. MAC | К EXP. ЕМС = KEG(d.s, Q. eph, Н). 
3. The preliminary secret PS is extracted from the export representation PSExp using the 
KImp15 algorithm defined in Section 8.2.1: 
LV = ШОБ” 24 + 21, 


PS 


KImp15(PSExp, K_EXP_MAC, K_EXP_ENC, IV). 
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4.2.4.2. СМТ ІМІТ 


In the СМТ IMIT cipher suite, the роду of the ClientKeyExchange message consists ої а 
TLSGostKeyTransportBlob structure that is defined below. 


The client generates the ClientKeyExchange message in accordance with the following steps: 
1. The ephemeral key pair (Q_eph, d_eph) is generated, where: 


d eph is chosen from (1, ... , q.s - 1} at random; 


Q_eph = d_eph * P.s. 


2. The preliminary secret PS is generated, where PS is chosen from B_32 at random. 
3. The export key (K_EXP) is generated using the KEG_28147 algorithm defined in Section 8.3.2: 


Н = HASH(r_c | г.в); 
K_EXP = KEG_28147(d_eph, Q_s, H). 
4. An export representation PSExp of the preliminary secret PS using the KExp28147 algorithm 
defined in Section 8.2.2 is generated: 
PSExp = IV | CEK_ENC | CEK_MAC = KExp28147(PS, K_EXP, H[1..8]). 


5. The ClientKeyExchange message is generated using the TLSGostKeyTransportBlob structure 
that is defined as follows: 


TLSGostKeyTransportBlob ::= SEQUENCE 4 

keyBlob GostR3410-KeyTransport 
) 
GostR3410-KeyTransport ::= SEQUENCE 4 


sessionEncryptedKey Gost28147-89-EncryptedKey, 
transportParameters [0] IMPLICIT GostR3410- 
TransportParameters OPTIONAL 


) 

Gost28147-89-EncryptedKey ::= SEQUENCE 4 
encryptedKey Gost28147-89-Key, 
maskKey [@] IMPLICIT Gost28147-89-Key OPTIONAL, 
macKey Gost28147-89-MAC 


} 

GostR3410-TransportParameters ::= SEQUENCE 4 
encryptionParamSet OBJECT IDENTIFIER, 
ephemeralPublicKey [0] IMPLICIT SubjectPublicKeyInfo 

OPTIONAL, 
ukm OCTET STRING 


where GostR3410-KeyTransport, Gost28147-89-Encry ptedKey, and GostR3410- 
TransportParameters are defined according to Section 4.2.1 of [RFC4490]. 
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In the context of this document, the GostR3410-KeyTransport.transportParameters field is always 
used, the Gost28147-89-EncryptedKey.maskKey field is omitted, and the GostR3410- 
KeyTransport.transportParameters.ephemeralPublicKey field is always used. 


The Gost28147-89-EncryptedKey.encryptedKey field contains the CEK ENC value, the 
Gost28147-89-Encry ptedKey.macKey field contains Ше СЕК MAC value, and the GostR3410- 
TransportParameters.ukm field contains the initialization vector (IV) value. 


The keyBlob.transportParameters.ephemeralPublicKey field contains the client ephemeral public 
key Q eph. The encryptionParamSet contains the value 1.2.643.7.1.2.5.1.1, which corresponds to 
the id-tc26-gost-28147-param-Z parameters set defined in [RFC7836]. 


Upon receiving the ClientKeyExchange message, the server process is as follows. 


1. The following three conditions are checked. If either of these checks fails, then the server 
MUST abort the handshake with an alert. 
ი დ eph belongs to the same curve as server public key Q_s; 


ი დ ephis not equal to zero point; 
eqs*Q ephisequalto zero point. 


2. The export key (K ЕХР) is generated using the КЕС 28147 algorithm defined in Section 8.3.2: 
Н = НАЗН( г.с | res); 
K_EXP = КЕС. 28147(4 5, Q_eph, H). 
3. The preliminary secret PS is extracted from the export representation PSExp using the 
KImp28147 algorithm defined in Section 8.2.2: 


PS - KImp28147(PSExp, K EXP, H[1..8]). 


4.2.5. CertificateVerify 


The client generates the value sgn as follows: 


sgn = SIGN. (4 c) (handshake. messages) = str 1(г) | str. 1(5) 


where SIGN (d с) is the GOST R 34.10-2012 [RFC7091] signature algorithm, d c is a client long-term 
private key that corresponds to the client long-term public key Q c from the client's certificate, 1 = 
32 for the gostr34102012 256 value of the SignatureAndHashAlgorithm field, and 1 = 64 for the 
g0str34102012 512 value of the SignatureAndHashAlgorithm field. 


Here, "handshake messages" refers to all handshake messages sent or received, starting at 
ClientHello and up to CertificateVerify without the last message; it includes the type and length 
fields of the handshake messages. 


The TLS CertificateVerify message is specified as follows: 
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struct { 
SignatureAndHashAlgorithm algorithm; 
opaque signature«0..2^16-1»; 

) CertificateVerify; 


where the SignatureAndHashAlgorithm structure is specified in Section 5, and the 
CertificateVerify.signature field contains the sgn value. 


4.2.6. Finished 
The TLS Finished message is generated in accordance with Section 7.4.9 of [RFC5246]. 


The verify data length value is equalto 32 for the CTR OMAC cipher suites and is equal to 12 for 
the CNT IMIT cipher suite. The pseudorandom function (PRF) is defined in Section 4.3.4. 


4.3. Cryptographic Algorithms 


4.3.1. Block Cipher 


The cipher suite Т15 GOSTR341112 256 WITH KUZNYECHIK СТЕ OMAC MUST use Kuznyechik 
[RFC7801] as a base block cipher for the encryption and MAC algorithm. The block length n is 16 
bytes, and the key length k is 32 bytes. 


The cipher suite 115 GOSTR341112 256 WITH MAGMA СТЕ ОМАС MUST use Magma [RFC8891] 
as a base block cipher for the encryption and MAC algorithm. The block length n is 8 bytes, and 
the key length k is 32 bytes. 


The cipher suite 115 GOSTR341112 256 WITH. 28147 СМТ IMIT MUST use GOST 28147-89 as a base 
block cipher [RFC5830] with the set of parameters id-tc26-gost-28147-param-Z defined in 
[RFC7836]. The block length n is 8 bytes, and the key length k is 32 bytes. 


4.3.2. MAC Algorithm 


The СТВ. OMAC cipher suites use the One-Key MAC (OMAC) construction defined in 
[GOST3413-2015], which is the same as the Cipher-Based MAC (CMAC) mode defined in [CM AC] 
where the Kuznyechik or Magma block cipher (see Section 4.3.1) is used instead of the AES block 
cipher (see (1К20031 for more detail) as the MAC function. The resulting MAC length is equal to the 
block length, and the MAC key length is 32 bytes. 


The CNT IMIT cipher suite uses the MAC function gostIMIT28147 defined in Section 8.4 with the 
initialization vector IV = IVO, where IVO in B 8 is a string of all zeros, with the CryptoPro Key 
Meshing algorithm defined in [RFC4357]. The resulting MAC length is 4 bytes, and the MAC key 
length is 32 bytes. 


4.3.3. Encryption Algorithm 


The СТЕ OMAC cipher suites use the block cipher in the CTR-ACPKM encryption mode defined in 
[RFC8645] as the ENC function. The section size М is 4 KB for the 

TLS GOSTR341112 256 WITH. KUZNYECHIK CTR OMAC cipher suite and 1 KB for the 

TLS GOSTR341112 256 WITH MAGMA CTR OMAC cipher suite. 
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The CNT_IMIT cipher suite uses the block cipher in counter encryption mode (CNT) defined in 
Section 6 of [RFC5830], with the CryptoPro key meshing algorithm defined in [RFC4357] as the ENC 
function. 


Note that the counter modes used in cipher suites described in this document act as stream 
ciphers. 

4.3.4. PRF and HASH Algorithms 

The PRF for all the cipher suites defined in this document is the PRF_TLS_GOSTR3411_2012_256 
function defined in [RFC7836]. 


The hash function HASH for all the cipher suites defined in this document is the GOST R 34.11-2012 
[RFC6986] hash algorithm with a 32-byte (256-bit) hash code. 


4.3.5. SNMAX Parameter 


The SNMAX parameter defines the maximal value of the seqnum sequence number during one 
TLS 1.2 connection and is defined as follows: 


Cipher Suites SNMAX 


TLS GOSTR341112 256 WITH. KUZNYECHIK СТЕ ОМАС 5ММАХ- 28121 
TLS GOSTR341112 256 WITH 28147 CNT ІМІТ 


TLS GOSTR341112 256 WITH. MAGMA CTR OMAC SNMAX = 222.1 


Table 1 


5. New Values for the TLS SignatureAlgorithm Registry 


The signature/hash algorithm pairs are used to indicate to the server/client which algorithms can 
be used in digital signatures and are defined by the SignatureAndHashAlgorithm structure (see 
Section 7.4.1.4.1 ої [RFC5246]). 


This document defines new values for the "TLS SignatureAlgorithm" registry that can be used in 
the SignatureAndHashAlgorithm.signature field for the particular signature/hash algorithm pair: 


enum 4 
gostr34102012. 256(64), 
gostr34102012. 512(65), 
) SignatureAlgorithm; 


where the gostr34102012 256 and gostr34102012 512 values correspond to the GOST R 34.10-2012 
[RFC7091] signature algorithm with a 32-byte (256-bit) and 64-byte (512-bit) key length, 
respectively. 
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According to [RFC7091], the GOST R 34.10-2012 signature algorithm with a 32-byte (256-bit) or 64- 
byte (512-bit) key length uses the GOST R 34.11-2012 [RFC6986] hash algorithm with a 32-byte (256- 
bit) or 64-byte (512-bit) hash code, respectively (the hash algorithm is intrinsic to the signature 
algorithm). Therefore, if the SignatureAndHashAlgorithm.signature field of a particular hash/ 
signature pair listed in the Signature Algorithms Extension is equal to the 64 (gostr34102012 256) 
or 65 (gostr34102012 512) value, the SignatureAndHashAlgorithm.hash field of this pair MUST 
contain the "Intrinsic" value 8 (see [RFC8422]). 


So, to represent gostr34102012 256 and gostr34102012 512 in the signature algorithms extension, 
the value shall be (8,64) and (8,65), respectively. 


6. New Values for the TLS Supported Groups Registry 


The Supported Groups Extension indicates the set of elliptic curves supported by the client and is 
defined in [RFC8422] and [RFC7919]. 


This document defines new values for the "TLS Supported Groups" registry: 


enum 4 
GC256A(34), GC256B(35), GC256C(36), GC256D(37), 
GC512A(38), GC512B(39), GC512C(40), 

) NamedGroup; 


where the values correspond to the following curves: 


Description Curve Identifier Value Reference 
GC256A id-tc26-gost-3410-2012-256-paramSetA [RFC7836] 
GC256B id-GostR3410-2001-CryptoPro-A-ParamSet [КЕС4357] 
GC256C id-GostR3410-2001-CryptoPro-B-ParamSet [КЕС4357] 
GC256D id-GostR3410-2001-CryptoPro-C-ParamSet [КЕС4357] 
GC512A id-tc26-gost-3410-12-512-paramSetA [RFC7836] 
GC512B id-tc26-gost-3410-12-512-paramSetB [RFC7836] 
GC512C id-tc26-gost-3410-2012-512-paramSetC [RFC7836] 
Table 2 
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7. New Values for the TLS ClientCertificateType Identifiers 
Registry 


The ClientCertificateType field of the CertificateRequest message contains a list of certificate 
types that the client may offer and is defined in Section 7.4.4 of [RFC5246]. 


This document defines new values for the "TLS ClientCertificateType Identifiers" registry: 


enum { 
gost_sign256(67), 
gost_sign512(68), 

} ClientCertificateType; 


To use the gost_sign256 or gost_sign512 authentication mechanism, the client MUST possess a 
certificate containing a GOST В 34.10-2012-сараріе public key that corresponds to the 32-byte 
(256-bit) or 64-byte (512-bit) signature key, respectively. 


The client proves possession of the private key corresponding to the certified key by including a 
signature in the CertificateVerify message as described in Section 4.2.5. 


8. Additional Algorithms 
The cipher suites specified in this document rely on some additional algorithms, specified below; 


the use of these algorithms is not confined to the use in TLS specified in this document. 


8.1. TLSTREE 
The TLSTREE function is defined as follows: 


TLSTREE(K_root, i) = KDF_3(KDF_2(KDF_1(K_root, STR_8(i & C_1)), 
SIRSS(1 800 2)), 518 8(1 & С 3)), 


where 


* K root in В 32; 


"1I0 (0,1, ..., 284-1}; 

*C 1,C 2,C Заге constants defined by the particular cipher suite (see Section 8.1.1); 

• КОЕ КК, р), ј =1, 2, 3, Kin B_32, D in В 8 is the key derivation function based on Ше 
KDF_GOSTR3411_2012_256 function defined in [RFC7836]: 
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KDF_1(K, D) = КОЕ GOSTR3411. 2012. 256(K, "1еуе11”, D); 


KDF_2(K, D) = KDF.GOSTR3411. 2012 256(K, "level2", D); and 


KDF_3(K, D) = KDF.GOSTR3411. 2012 256(K, "level3", D). 


8.1.1. Key Tree Parameters 


The СТЕ OMAC cipher suites use the TLSTREE function for the rekeying approach. The constants 


forit are defined as in the table below. 


Cipher Suites 


TLS GOSTR341112 256 WITH. KUZNYECHIK СТК OMAC 


TLS GOSTR341112 256 WITH MAGMA CTR OMAC 


Table 3 


8.2. Key Export and Key Import Algorithms 
8.2.1. КЕхр15 and KImp15 Algorithms 


C1C2,C3 


C 1-0xFFFFFFFF00000000 
C 2-0xFFFFFFFFFFF80000 
C_3=0xFFFFFFFFFFFFFFCO 


С 1-ОхЕҒҒҒҒЕС000000000 
C 2-0xFFFFFFFFFEO000000 
C 3-0xFFFFFFFFFFFFF000 


Algorithms KExp15 and KImp15 use the block cipher determined by the particular cipher suite. 


The KExp15 key export algorithm is defined as follows: 


%------------------------------------------------------------ + 
| КЕхр15($, К_Ехр_МАС, К_Ехр_ЕМС, ІМ) 
етсе D c M c ане Беата | 
| Input: | 
| - secret S to be exported, S in B*, 

| - key K Exp. MAC in B.k, 

| - key К Ехр ЕМС іп B.k, 

| IV an В (п/2) | 
| Output: | 
| - export representation SExp in В (1(8) +п) 

Бэ აა даю conan woe tae е | 
| 1. СЕК MAC = ОМАС(К Exp. MAC, ТУ | S), СЕК МАС іп В п | 
| 2. SExp = CTR-Encrypt(K_Exp_ENC, ТУ, 5 | СЕК МАС) 

| 3. return SExp | 
%------------------------------------------------------------ + 
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where the OMAC function is defined in [MODES] and the CTR-Encrypt(K, IV, S) function denotes 
the encryption of message S on key K and nonce IV in the CTR mode with s = n (see [MODES]). 


Тһе KImp15 key import algorithm is defined as follows: 


| KImp15(SExp, К Ехр МАС, К Exp. ЕМС, IV) 
о ee ””””“”"”:;”იოსოა, ”"ო”""!"”" 52-00-2225 | 
| Input: | 
| - export representation SExp іп ВХ 

| - key K Exp. MAC in В К, | 
| - key K Exp. ENC in B.k, 

[| = IV in 8 n2 | 
| Output: | 
| - secret 5 іп B_{L(SExp)-n} ог FAIL 


| 1. 5 | СЕК MAC = CTR-Decrypt(K_Exp_ENC, IV, 5Ехр), СЕК MAC іп B_n] 
| 2. If СЕК МАС = ОМАС(К Ехр МАС, ІМ | 5) | 
| then return 5; else return FAIL 


where the OMAC function is defined in [MODES] and the CTR-Decrypt(K, IV, S) function denotes 
the decryption of message S on key K and nonce IV in the CTR mode (see [MODES]). 


The keys K Exp MAC and K Exp ENC MUST be independent. For every pair of keys (K Exp ENC, 
K Exp МАС), the IV values MUST be unique. For the import of a key with the KImp15 algorithm, 
the IV value may be sent with the export key representation. 


8.2.2. KExp28147 and KImp28147 Algorithms 
The KExp28147 key export algorithm is defined as follows: 


| Input: 

| - secret S to be exported, S in B.32, 

| key K in В 32, | 
= „IV II 5-8. | 
| Output: | 
| - export representation SExp іп В 44 


. СЕК MAC = gost281471MIT(IV, К, S), СЕК МАС іп В 4 


1 
| 2. СЕК ЕМС = ECB-Encrypt(K, S), СЕК ЕМС іп В 32 | 
3. return SExp = IV | СЕК ЕМС | СЕК МАС 


where the gost28147IMIT function is defined in Section 8.4 and the ECB-Encrypt(K, S) function 
denotes the encryption of message S on key K with the block cipher GOST 28147-89 in the 
electronic codebook (ECB) mode (see [RFC5830]). 


The KImp28147 key import algorithm is defined as follows: 
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+ ააოეეცდვეეე–--=--=----_-_____-_-__-_-3__-3_____-___-_კ__––-_–_-_-_ჟ_–___<–-–_-–2-_-_-–-ჰ–ჰ_ჰ–––>>–>–»–>>>>>......შ.–“” 
| КІтр28147(5Ехр, К, IV) 

| о 

| Input: 

| - export representation 5Ехр іп В 44, 

| = key K іп В 32, 

[= IV а 3” 8. 

| Output: 

| - imported secret S іп В 32 ог FAIL 

| “ა მ ყა სა ЭЭ. ЖЭ Е ა (ა ევს იას ა საა м ee გი ფელი ივი“ 

| 1. extract from SExp 

| Тү” = SEXp 611 

| СЕК ЕМС = SExp[9..40], 

| СЕК MAC = SExp[41..44] 

| 2. if IV' != IV then return FAIL; else 

| 3. 5 = ECB-Decrypt(K, СЕК ЕМС), 5 іп В 32 

| 4. Тї СЕК МАС = gost28147IMIT(IV, К, 5) 

| then return 5; else return FAIL 

+ =–– і n, i ut а на uu n, c „так! un. n, n m gn n, i i n n цени m Mi. n, v, i n n i m gi. нави, cR (წწ n i m gn n, m Run и о и ан ан ан аы нави, дави. 
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where the gost28147IMIT function is defined in Section 8.4 and the ECB-Decrypt(CEK ENC, M) 
function denotes the decryption of ciphertext CEK ENC on key K with a block cipher GOST 


28147-89 in the ECB mode (see [RFC5830]). 


8.3. Key Exchange Generation Algorithms 


8.3.1. KEG Algorithm 
The KEG algorithm is defined as follows: 


+ уш на с Sc и нан анж” ний ань” чад и а шї аа мы ош чан, а а аш й а ані ашы мш а ———————Ó—À ван. 
| KEG(d, 0, Н) 

| S A ——— € Se "" - - - -- --- - - - --- - -- - -- - - --- --- "ი 

| Input: 

| - private key а, 

| - public key Q, 

| -Н іп В 32. 

| Output: 

| - key material К in В 64. 

| ee ee ee სალა ია 

| 1. If 0 х Q is not equal to zero point 

| return FAIL 

(2 242547571 < 24256 

| return KEG_256(d, 0, Н) 

З пр 25508 < 0 24512 

| return KEG_512(d, 0, Н) 

| 4. return FAIL 

+ remi 


where qis an order of a cyclic subgroup of elliptic curve points group containing point Q, d in (1, 


за = 11, 


Тһе КЕС. 256 algorithm is defined as follows: 
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| Input: 

| - private key а, 

| - public key Q, 

„ = I II 3 32. 

| Output: 

| - key material К in В 64. 


1; else UKM = г 

3. K EXP = УКО 256(4, 0, UKM) 

4. seed = H[17..24] 

5. return KDFTREE. 256(K EXP, "kdf tree", seed, 1) 
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where VKO 256 is the function VKO GOSTR3410 2012 256 defined in [RFC7836] and KDFTREE 256 
isthe KDF TREE GOSTR3411 2012 256 function defined in [RFC7836] with the parameter L equal 


to 512. 


The КЕС. 512 algorithm is defined as follows: 


| Input: 

| - private key d, 

| - public key Q, 

| = L MI [2 327 

| Output: 

| - key material К in В 64. 


1. r = INT(H[1..16]) 
Фа Ae [т – 0 


| 
| UKM = 1; else UKM = г 
| 3. return VKO_512(d, 0, UKM) 


where VKO_512 is the VKO_GOSTR3410_2012_512 function defined in [RFC7836]. 


8.3.2. KEG_28147 Algorithm 
The KEG_28147 algorithm is defined as follows: 
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Input: 
- private key d, 
- public key Q, 


Output: 
- key material K in B_32. 
| па манна ми ме мк ert м не т т с л а> 
| 1. If ад х Q is not equal to zero point 
| return FAIL 
„ 2. IIM Hila Ө 
| 3. R = УКО 256(4, Q, int(UKM) ) 
| 4. return К = CPDivers(UKM, В) 


| 
| 
| 
| = 011222 
| 
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where the VKO 256 function is equal to the УКО GOSTR3410 2012 256 function defined in 
[RFC7836] and the CPDivers function corresponds to the CryptoPro KEK Diversification Algorithm 
defined in [RFC4357], which takes as input the User Keying Material (UKM) value and the key 


value. 


8.4. gostIMIT28147 
gost28147IMIT(IV, К, M) isa MAC algorithm with a 4-byte output and is defined as follows: 


Input: 
- initial value IV in B.8, 
- key K in B.32, 


Output: 


| 
| 
| 
| - message M in B*. 
| 
| 


MAC value T in B.4. 


M' - PAD(M) 

“лш ა | се Mor; {М Т) = 8, i in #09, 
M'' з (M'_0 XOR IV) | М' 1 | | Мо г 
return T = MAC28147(K, М'') 


where the PAD function is the padding function that adds m zero bytes to the end of the message, 
m is the smallest, non-negative solution to the equation (L(M) + m) mod 8 = 0, and the MAC28147 
function corresponds to the MAC generation mode defined in [RFC5830] with a 4-byte length 


output. 


9. IANA Considerations 


IANA has added the following values to the "TLS Cipher Suites" registry: 
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Value Description DTLS- Recommended Reference 
OK 
0хС1,0х00  TLS GOSTR341112 256. N N RFC 9189 


WITH  KUZNYECHIK СТК ОМАС 


OxC1,0x01 115 GOSTR341112 256. М М КЕС 9189 
WITH МАСМА СТК ОМАС 


0хС1,0х02  TLS GOSTR341112 256. М М КЕС 9189 
WITH. 28147 СМТ IMIT 


Table 4 


IANA has added the following values to the "TLS SignatureAlgorithm" registry: 


Value Description DTLS-OK Reference 

64 5051134102012 256 Y КЕС 9189 

65 5051134102012 512 Y КЕС 9189 
Table 5 


IANA has added the following values to the "TLS SignatureScheme" registry: 


Value Description Recommended Reference 

0x0840 Reserved for backward compatibility N RFC 9189 

0x0841 Reserved for backward compatibility N RFC 9189 
Table 6 


IANA has also added the following footnote to values 64 and 65 in the "TLS SignatureAlgorithm" 
registry: 


These values were allocated from the Reserved state due to a misunderstanding of the 
difference between Reserved and Unallocated that went undetected for a long time. 
Additional allocations from the Reserved state are not expected, and the TLS 
SignatureScheme registry is suitable for use for new allocations instead of this registry. 


IANA has added the following values to the "TLS Supported Groups" registry: 


Value Description DTLS-OK Recommended Reference 


34 GC256A Y N КЕС 9189 
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Value Description DTLS-OK Recommended Reference 


35 GC256B Y N RFC 9189 

36 GC256C Y N RFC 9189 

37 GC256D Y N RFC 9189 

38 GC512A Y N RFC 9189 

39 GC512B Y N RFC 9189 

40 GC512C Y N RFC 9189 
Table 7 


IANA has added the following values to the "TLS ClientCertificateType Identifiers" registry: 


Value Description  DTLS-OK Reference 


67 gost_sign256 Y RFC 9189 
68 gost_sign512 Y RFC 9189 
Table 8 


10. Historical Considerations 


Note that prior to the existence of this document, implementations could use only the values 
from the "Private Use" space in order to use the GOST-based algorithms. So some old 
implementations can still use the old value {OxFF, 0x85} instead of the {0xC1, 0x02} value to 
indicate the TLS_GOSTR341112_256_WITH_28147_CNT_IMIT cipher suite; the old value OxEE 
instead of the values 64, 8, and 67 (to indicate the gostr34102012_256 signature algorithm, the 
Intrinsic hash algorithm, and the gost_sign256 certificate type, respectively); the old value OxEF 
instead of the values 65, 8, and 68 (to indicate the gostr34102012_512 signature algorithm, the 
Intrinsic hash algorithm, and the gost_sign512 certificate type, respectively). 


Due to historical reasons, in addition to the curve identifier values listed in Table 2, there exist 
some extra identifier values that correspond to the curves GC256B, GC256C, and GC256D as 
follows (see [RFC4357] and [R-1323565.1.024-2019]). 


Description Curve Identifier Values 
ша id-GostR3410_2001-CryptoPro-XchA-ParamSet 


id-tc26-gost-3410-2012-256-paramSetB 
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Description Curve Identifier Values 

GC256C id-tc26-gost-3410-2012-256-paramSetC 
шаг id-GostR3410-2001-CryptoPro-XchB-ParamSet 
id-tc26-gost-3410-2012-256-paramSetD 


Table 9 


The client should be prepared to handle any of these correctly if the corresponding group is 
included in the supported_groups extension (see [RFC8422] and [RFC7919]). 


11. Security Considerations 


The cipher suites defined in this document do not provide Perfect Forward Secrecy. 


The authenticate-then-encrypt method is crucial for the CNT_IMIT cipher suite. Encryption of the 
MAC value is conducted to reduce the possibility of forgery to guessing. Here, the probability ofa 


guess is approximately equal to 232 which is acceptable in some practical cases. 
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A.1. Test Examples for СТЕ ОМАС Cipher Suites 
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А.1.1. TLSTREE Examples 
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А.1.1.1. TLS GOSTR341112 256 WITH MAGMA CTR OMAC Cipher Suite 
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TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
Root Key K_root: 

00 11 22 33 44 55 66 77 88 99 AA BB CC EE ЕР 0A 
11 22 33 44 55 66 77 88 99 AA ВВ СС EE ЕЕ 0A 00 


seqnum = @ 

First-level key from Divers_1: 

ЕЗ 55 89 F@ 9B F8 01 B1 CA 11 42 73 B9 БЕ D6 C1 
39 2E 78 F9 FB 81 4D Ад 5A 7C CA 08 9E C8 65 42 


Second-level key from Divers. 2: 


51 37 05 04 A6 E6 
08 9E 74 0D 38 90 


The resulting key 
19 A7 6Е D3 ОҒ 4D 
17 С0 В5 70 8А 03 


seqnum = 4095 


ВЕ 42 C4 40 D1 
ЕВ 52 65 2C 0С 


from Divers_3: 
6D 1F 5B 72 63 
56 12 71 49 FB 


First-level key from Divers_1: 


F3 55 89 ЕВ 9B F8 01 B1 СА 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C CA 


Second-level key from Divers_2: 


51 37 D5 04 A6 E6 
08 9E 74 0D 38 90 


The resulting key 
19 A7 6E D3 ОҒ 4D 
17 CO B5 7D 8A ӨЗ 


seqnum - 4096 


BE 42 04 40 D1 
EB 52 65 2C 0C 


from Divers. 3: 
6D ЛЕ 5B 72 63 
56 12 71 40 ЕВ 


First-level key from Divers_1: 


F3 55 89 ЕВ 9B ЕЗ 01 ВТ СА 11 42 
39 2Е 78 F9 FB 81 4D Ад 5A 7С CA 


Second-level key from Divers_2: 


51 37 05 C4 А6 Е6 
08 9E 74 0D 38 90 


Тһе resulting key 
FB 30 EE 53 СЕ СЕ 
53 CB ВВ FD 03 12 


seqnum = 33554431 


BE 42 C4 40 D1 
ЕВ 52 65 2C 0С 


from Divers_3: 
89 D7 48 FC ӨС 
82 BO 26 21 4A 


First-level key from Divers_1: 


ЕЗ 55 89 ЕВ 9B F8 01 ВТ СА 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C CA 


Second-level key from Divers. 2: 


51 37 05 04 A6 E6 
08 9E 74 0D 38 90 


The resulting key 
B8 5B 36 DC 22 82 
83 AA 01 74 F3 94 
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BE 42 04 40 D1 
EB 52 65 2C ВС 


from Divers_3: 
32 6B CO 35 C5 
20 9A 51 3B B3 
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seqnum - 33554432 

First-level key from Divers. 1: 
F3 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C СА 


Second-level key from Divers. 2: 
3F EA 59 38 DA 2B F8 DD CA 7E C1 
79 02 BE 42 0D F4 C3 7D AF 21 75 


The resulting key from Divers. 3: 
ӨЕ 07 СӨ 9E FD F8 ЕЗ 15 73 EE CC 
AF 7F 34 DA B1 17 7C FD 7D B9 7B 


seqnum - 274877906943 
First-level key from Divers. 1: 
F3 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C CA 


Second-level key from Divers. 2: 
AB F3 A5 37 98 3A 1B 98 40 06 6D 
97 7E E5 C3 F5 2D 33 ЗЕ 3C 22 ОҒ 


The resulting key from Divers. 3: 
48 ӨЕ 99 72 BA F2 5D 4C 36 9A 96 
3F 79 D8 F0 C5 61 8B 19 FD 44 CF 


seqnum - 274877906944 
First-level key from Divers. 1: 
15 60 0D 9E 8F A6 85 54 CF 15 2D 
17 B0 3E 09 76 BB 28 EA 98 24 C3 


Second-level key from Divers. 2: 
6C C2 8E ВО 93 24 72 12 5С 7A рз 
С4 13 7D А5 73 BC 17 ЛА 24 ED D4 


The resulting key from Divers. 3: 
25 28 C1 Сб A8 F0 92 7B F2 ВЕ 27 
46 D6 55 93 80 C7 17 ЗА 06 CB 9D 
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А.1.1.2. TLS GOSTR341112 256 WITH KUZNYECHIK CTR OMAC Cipher Suite 
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718. GOSTR341112. 256. WITH. КО/МУЕСНІК СТВ ОМАС 


kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk 


Root Key K_root: 
00 11 22 33 44 55 66 77 88 99 АА 
11 22 33 44 55 66 77 88 99 AA ВВ 


seqnum = 0 

First-level key from Divers_1: 
ЕЗ 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C СА 


Second-level key from Divers. 2: 
51 37 D5 C4 А6 E6 BE 42 C4 40 D1 
08 9E 74 Өр 38 90 EB 52 65 2C ВС 


The resulting key from Divers. 3: 
19 A7 6E D3 ОҒ 4D 6D IC 5B 72 63 
17 СӨ B5 7D ЗА 03 56 12 71 40 FB 


seqnum - 63 

First-level key from Divers. 1: 
F3 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C CA 


Second-level key from Divers. 2: 
51 37 D5 C4 А6 E6 BE 42 C4 40 D1 
08 9E 74 Өр 38 90 EB 52 65 2C ВС 


The resulting key from Divers. 3: 
19 A7 6E D3 ОҒ 4D 6D ТЕ 5B 72 63 
17 СӨ B5 7D ЗА 03 56 12 71 40 FB 


seqnum з 64 

First-level key from Divers. 1: 
F3 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 ЕВ 81 4D Ад БА 7C СА 


Second-level key from Divers. 2: 
51 37 D5 C4 A6 E6 BE 42 C4 40 D1 
08 9E 74 0D 38 90 EB 52 65 2C ВС 


The resulting key from Divers. 3: 
AE BE 1E F4 18 71 3B F0 44 B9 FC 
FB 38 B5 D8 29 56 7A 6F 79 18 39 


seqnum - 524287 

First-level key from Divers. 1: 
ЕЗ 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C СА 


Second-level key from Divers. 2: 
51 37 D5 C4 А6 E6 BE 42 C4 40 D1 
08 9E 74 Өр 38 90 EB 52 65 2C ӨС 


The resulting key from Divers. 3: 
6F 18 D4 00 ЗЕ А2 CB 30 F5 FE C1 
7C 43 94 98 7F 50 75 8D E2 2B 22 


BB CC EE FF 0A 
CC EE FF 0A 00 


Informational 
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seqnum - 524288 

First-level key from Divers. 1: 
F3 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C СА 


Second-level key from Divers. 2: 
F6 59 EB 85 EE BD 2A 8D CC 1B B3 
6D 33 B6 ОР 74 65 DD 42 B5 11 2C 


The resulting key from Divers. 3: 
E5 4B 16 41 5B 3B 66 3E 78 0B 06 
49 54 63 C3 A8 91 ЕТ FA 46 F7 AE 


seqnum - 4294967295 

First-level key from Divers. 1: 
F3 55 89 F0 9B F8 01 B1 CA 11 42 
39 2E 78 F9 FB 81 4D Ад 5A 7C СА 


Second-level key from Divers. 2: 
РА BC 10 1A BB 68 86 2A 8C ЕЗ 1E 
B8 29 10 F1 24 F4 B1 E2 9E А8 ЗВ 


The resulting key from Divers. 3: 
CF 60 09 04 C7 ЛЕ 7B 88 А4 9A C8 
BE ED FB 81 DE 9A 0E 2F 4E 46 C3 


seqnum - 4294967296 

First-level key from Divers. 1: 
55 CC 95 E@ D1 FB 54 85 AF 8E F6 
79 7C D2 Е8 5D 86 CD FD 1D Е5 5B 


Second-level key from Divers. 2: 
72 16 91 E1 01 C4 28 96 А6 40 AE 
76 37 9C 57 E1 FD 8A 7D 49 A6 23 


The resulting key from Divers. 3: 
16 18 0B 24 64 54 00 B8 36 14 38 
95 2А ЕЗ EB 82 44 D5 EC 2A ВО 2C 
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A.1.2. Record Examples 
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А.1.2.1. TLS GOSTR341112 256 WITH MAGMA CTR OMAC Cipher Suite 
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TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
It is assumed that the following keys меге established 
during handshake: 


- MAC key: 

80008: 00 11 22 33 44 55 66 77 88 99 ДА ВВ СС ЕЕ ЕЕ 0А 
80018: 11 22 33 44 55 66 77 88 99 AA ВВ СС EE FF ӨА 00 
- Encryption key: 

00000: 22 33 44 55 66 77 88 99 ДА ВВ СС EE ЕЕ дА 00 11 
00010: 33 44 55 66 77 88 99 AA ВВ CC ЕЕ ЕЕ 0A 00 11 22 
MINES 

00000: 00 00 00 00 


зедпит - 0 


Application data: 
00000: 00 00 00 00 00 00 00 


TLSPlaintext: 
00000: 17 03 03 00 07 00 00 00 00 00 00 00 


K МАС. 0: 
00000: 19 A7 6E D3 ӨЕ 4D 6D ТЕ 5B 72 63 ЕС 49 ТА 08 38 
00010: 17 С0 BS 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 


MAC value: 
00000: ЕЗ ЗЕ B6 89 6F ЕС Е2 86 


К ЕМС 0: 
00000: 58 AF BE 9A 4C 31 98 АА AB АА 26 92 СА 19 F1 79 
00010: 7C 9B 92 DE ВЗ CC 74 46 ВЗ 63 57 71 13 F0 ЕВ 56 


IV. 0: 
00000: 00 00 00 00 


TLSCiphertext: 
80008: 17 03 03 00 ОҒ 9B 42 0D А8 6F АҒ 36 7Ғ 05 14 43 
80018: СЕ 9С 19 72 


Application data: 

00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


003006: 00 00 00 00 00 00 00 00 00 00 00 00 00 ва ва 00 
003E0: 00 00 00 00 00 00 00 00 00 00 OO OO OO OO 00 00 
80350: 00 00 00 00 00 өө 00 00 00 00 00 OO OO OO да 00 


TLSPlaintext: 

00000: 17 03 03 04 00 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


003006: 00 00 00 00 00 00 00 ва 00 00 00 00 00 00 ва 00 
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003E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
003F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00400: 00 00 00 00 00 


К МАС 4095: 
00000: 19 A7 6E D3 ӨЕ 4D 6D ТЕ 5B 72 63 ЕС 49 ТА 08 38 
00010: 17 С0 BS 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 


MAC value: 
00000: 58 D3 ВВ 60 8F ВС 98 B8 


К ЕМС. 4095: 
00000: 58 АҒ BE 9A 4C 31 98 AA AB АА 26 92 СА 19 F1 79 
00010: 7C 9B 92 DE ВЗ СС 74 46 B3 63 57 71 13 F0 FB 56 


IV. 4095: 
00000: 00 00 ОҒ FF 


TLSCiphertext: 

00000: 17 03 03 04 08 B7 11 43 8B 16 20 1F 3C 49 33 95 
00010: 21 C9 C8 СА 75 66 D4 C2 OF D3 ЗЕ 58 1F 80 07 DC 
00020: 76 04 3E 2B 35 C8 E8 4B B2 55 08 27 66 13 59 6F 


seqnum - 4096 


Application data: 

00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


007D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00760: өө өө 00 00 00 00 00 өө 00 00 00 OO OO 00 00 00 
0070: өө өө 00 00 00 00 00 өө 00 00 00 OO 00 00 өө 00 


TLSPlaintext: 

00000: 17 03 03 08 00 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


807060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
007E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
007F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00800: 00 00 00 00 00 


К МАС 4096: 
00000: FB 30 EE 53 СЕ СЕ 89 D7 48 FC 0C 72 EF 16 0B 8B 
00010: 53 СВ BB FD 03 12 82 В0 26 21 4A B2 EO 77 58 FF 


MAC value: 
00000: 50 55 А2 6A ВЕ 19 63 81 


К ЕМС. 4096: 
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80008: Ер Е2 
80018: 02 ЕД 
ІМ 4096: 
00000: 00 00 
TLSCiphertext: 


00000: 17 83 
00010: В6 ВЗ 
00020: БВЕВИ 


007006: УЕ ӨВ 
007E0: СА ДЕ 


007F0: 77 5E 
00800: 4E F8 
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А.1.2.2. TLS GOSTR341112 256 WITH KUZNYECHIK CTR OMAC Cipher Suite 
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TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 

It is assumed that the following keys меге established 
during handshake: 


- MAC key: 

80008: 00 11 22 33 44 55 66 77 88 99 ДА ВВ СС ЕЕ ЕЕ 0А 
80018: 11 22 33 44 55 66 77 88 99 AA ВВ СС EE FF ӨА 00 
- Encryption key: 

00000: 22 33 44 55 66 77 88 99 ДА BB СС ЕЕ ЕЕ ӨА 00 11 
00010: 33 44 55 66 77 88 99 AA ВВ CC ЕЕ ЕЕ 0A 00 11 22 
СУРМА 

00000: 00 00 00 00 00 00 00 00 


seqnum = 0 


Application data: 
00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


TLSPlaintext: 
00000: 17 өз өз өө OF 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 


К МАС. 0: 
00000: 19 A7 6E D3 ӨЕ 4D 6D 1F 5B 72 63 ЕС 49 ТА D8 38 
00010: 17 С0 BS 7D 8A 03 56 12 71 40 FB 4F 74 25 49 4D 


MAC value: 
00000: Ер 17 19 DD 95 08 37 ЕВ 7С 7В B8 Ғ5 ӨӨ 37 99 81 


К ЕМС 0: 
00000: 58 AF BE 9A 4C 31 98 AA AB АА 26 92 C4 19 F1 79 
00010: 7C 9B 92 DE ВЗ CC 74 46 B3 63 57 71 13 F0 FB 56 


IV. 0: 
00000: 00 00 00 00 00 00 00 00 


TLSCiphertext: 

00000: 17 03 03 00 1F 4D ЛА 30 52 36 57 3B FF C1 4E 46 
00010: DC BE 74 60 В6 C9 9A 17 5A 81 C4 71 ЛЕ 2Е 84 C3 
80028: 92 С5 49 7С 


Application data: 

00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


O0FDO: өе 00 00 00 00 00 00 00 00 00 00 OO 00 00 ва 00 
00ҒЕ0: 00 00 00 00 00 00 00 00 00 00 00 OO OO OO да 00 
O0FF0: 00 00 00 00 00 өө 00 00 00 00 00 OO OO OO да 00 


TLSPlaintext: 
00000: 17 03 03 10 00 00 00 00 00 00 00 00 00 00 00 00 
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00010: 00 00 00 
00020: 00 00 00 
д0ЕрӨ: ов өө өө 
00ҒЕ0: 00 00 00 
00ЕҒО: 00 00 00 
01000: 00 00 00 
К МАС. 63: 
00000: 19 А7 6E 
00010: 17 СӨ B5 
MAC value: 
00000: 98 46 27 
К ЕМС 63: 
00000: 58 АҒ ВЕ 
00010: 7С 9В 92 
ІУ 63: 
00000: 00 00 00 
TLSCiphertext: 
00000: 17 03 03 
00010: 68 24 A2 
00020: 5С БЕ 05 
O0FE0: 19 AD 99 
ддЕЕд 47 6В А7 
01000 97 В6 Е2 
01010 24 78 Е4 
seqnum = 64 
Application data: 
00000: 00 00 00 
00010: 00 00 00 
00020: 00 00 00 
01Ерд: 00 00 өө 
01ЕЕО: 00 00 00 
ӨТЕЕӨ: 00 00 00 
TLSPlaintext: 
00000: 17 03 03 
00010: 00 00 00 
00020: 00 00 00 
Ө1Е00: 00 00 00 
01ЕЕО: 00 00 00 
ӨТЕЕӨ: 00 00 00 
02000: 00 00 00 
К МАС 64: 
00000: АЕ ВЕ ТЕ 
00010: ЕВ 38 В5 
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MAC value: 
00000: EA C3 
K_ENC_64: 
00000: 64 F5 
00010: ЕЕ СЗ 
ІУ 64: 

00000: 00 00 
TLSCiphertext: 
00000: 17 03 
00010: 1В 93 
00020: 80 С8 
01ЕЕд: ВЗ 02 
Ө1ЕЕ0: 2611 
02000: Ар ЕС 
02010: А9 ЕС 


97 


ЗА 
7В 


00 


83 
36 
30 


67 
25 
р 
36 


87 


ЕС 
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80 


20 
85 
р7 


2С 
51 
7С 
Е8 


84 


37 
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00 


10 
96 
БА 


CB 
81 
87 
В5 


A.1.3. Handshake Examples 


The ClientHello.extensions and the ServerHello.extensions fields contain the 
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extended_main_secret extension (see [RFC7627]) and the renegotiation_info extension (see 
[RFC5746]) in the following examples. 
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А.1.3.1. TLS GOSTR341112 256 WITH MAGMA CTR OMAC Cipher Suite 
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Server certificate curve OID: 
id-GostR3410-2001-CryptoPro-A-ParamSet, "1.2.643.2.2.35.1" 


Server public key Q.s: 
X з 0x6531D4A72bE655BFC9DFB94293B260702 
82FABF10D5C49B7366148C60E0BF8167 


у з 0x37F8CC71DC5D917FC4A66F7826E72750 
8270B4FFC266C26CD4363E77B553A5B8 


Server private key d_s: 
0x5F308355DFD6A8ACAEE0837B100A3B1F 
6D63FB29B78EF27D3967757F0527144C 


pecie ctc mc ce: Client m-e LE ы, 
ClientHello message: 
msg. type: 01 
length: 000040 
body: 
client. version: 
major: 03 
minor: 03 
random: 933EA21EC38024561550EC78D6ED51AC 


2439D7E749C31BC3A3456165889684CA 
session_id: 


length: 00 
vector: == 
cipher_suites: 
length: 0004 
vector: 
CipherSuite: C100 
CipherSuite: C101 
compression_methods: 
length: 81 
vector: 
CompressionMethod: 00 
extensions: 
length: 8013 
vector: 


Extension: /* signature_algorithms */ 
extension. type:  000D 
extension. data: 


length: 0006 
vector: 
supported. signature. algorithms: 
length: 0004 
vector: 
/* 1 pair of algorithms */ 
hash: 08 
signature: 
40 
/* 2 pair of algorithms */ 
hash: 08 
signature: 
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41 
Extension: /* renegotiation_info */ 
extension type:  FF801 
extension. data: 
length: 0001 
vector: 
renegotiated. connection: 
length: 00 
vector: == 
Extension: /% extended_main_secret */ 
extension_type: 0017 
extension_data: 
length: 0000 
vector: == 


00000: 01 00 00 40 03 
00010: EC 78 D6 ED 51 
00020: 61 65 88 96 84 
00030: 13 00 80 00 06 
00040: 00 17 00 00 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


ServerHello message: 
msg. type: 
length: 
body: 
server. version: 
major: 
minor: 
random: 


session. id: 
length: 
vector: 
сїрїїег suite: 
CipherSuite: 
compression. method: 
CompressionMethod: 
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03 93 ЗЕ A2 ЛЕ C3 80 2A 56 15 50 
AC 24 39 D7 E7 49 C3 1B C3 A3 45 
CA 00 00 04 C1 00 C1 01 01 00 00 
00 04 08 40 08 41 FF 01 00 01 00 


16 


03 

03 

0044 
010000400303933EA21EC3802A561550 
EC78D6ED51AC2439D7E749C31BC3A345 
6165889684CA000004C100C101010000 
1300000006000408400841ҒҒ01000100 
00170000 


81 00 00 40 03 03 93 ЗЕ А2 ЛЕ C3 
ЕС 78 06 ED 51 АС 24 39 D7 Е/ 49 
61 65 88 96 84 СА 00 00 04 С1 00 
13 00 80 00 06 00 04 08 40 08 41 
00 17 00 00 


000041 


93 
83 
933EA21E49C31BC3A3456165889684CA 
A5576CE7924A24F58113808DBD9EF 856 


10 
(3802А561550ЕС78р6Ер51АС243907Е7 


C101 


80 


Informational 


March 2022 


Page 50 


КЕС 9189 


GOST Cipher Suites for TLS 1.2 


extensions: 
length: 8089 
vector: 
Extension: /* renegotiation_info */ 
extension type: FF@1 
extension. data: 
length: 0001 
vector: 
renegotiated connection: 
length: 00 
vector: ма 
Extension: /% extended_main_secret */ 
extension Туре: 0017 
extension. data: 
length: 0000 
vector: == 


00000: 02 00 00 41 
00010: 61 65 88 96 
00020: 80 80 ВО 9Е 
00030: Ер 51 АС 24 
00040: 00 00 17 00 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


Certificate message: 
msg_type: 
length: 
body: 
certificate_list: 
length: 
vector: 
ASN.1Cert: 
length: 
vector: 
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03 
84 
F8 
39 
00 


03 93 ЗЕ A2 1E 49 C3 1B C3 A3 45 
СА A5 57 6С E7 92 ДА 24 F5 81 13 
56 10 C3 80 2A 56 15 50 EC 78 D6 
Буе чели ап 90 00 09 ЕЕ Oil ӨӨ 01 


16 


03 

03 

0045 
020000410303933EA21E49C31BC3A345 
6165889684CAA5576CE7924A24F58113 
808DBD9EF85610C3802A561550EC78D6 
ED51AC2439D7E7C101000009FF010001 
0000170000 


02 00 00 41 03 03 93 ЗЕ A2 1E 49 
61 65 88 96 84 CA A5 57 6C E7 92 
80 8D BD 9E F8 56 10 C3 80 2A 56 
ED 51 AC 24 39 D7 E7 C1 01 00 00 
00 00 17 00 00 


OB 
0001DB 


0001D8 


0001D5 

308201D13082017EA003020102020833 
ЕВВ2С0Е9575А46300А06082А85030701 
010302301F311D301B06035504030C14 


797990E4B5452CF82FE1F19EE237B754 
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00000: 88 00 01 ОВ 
00010: 01 7Е А0 03 
00020: 46 30 0A 06 
00030: 1D 30 1B 06 
00040: 65 6С 66 73 
00050: 19 009531 39 
000690: 80 32 30 31 
00870: 31 1D 30 1B 
00080: 73 65 6С 66 
00090: 66 30 ТЕ 06 
000А0: 07 2А 85 ӨЗ 
000890: 02 02 03 43 
000С0: 98 С4 р5 10 
000D0: 5B 65 2E A7 
000Е0: С2 66 С2 ҒҒ 
000Ғ0: 91 50 DC 71 
00100: 03 55 1D ВЕ 
00110: ZIESERG SMG 
00120: 55 1D ӨЕ 01 
00130: 55. е 121 
00140: 30 4Е 06 03 
00150: В8 4р 8р 24 
00160: 16 А1 23 А4 
00170: 0С 14 74 65 
00180: 64 БЕ 63 65 
00190: 30 0A 06 08 
001A0: 88 44 F9 F1 
001B0: 26 ЕВРЕ 
001С0: А2 80 13 DF 
00100: 0A D6 EE F9 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 16 03 03 01 
00010: 82 01 D1 30 
00020: B2 СӨ Е9 57 
00030: 03 02 30 ТЕ 
00040: 65 73 74 5F 
00050: 65 72 74 30 
00060: 34 30 38 5A 
00070: 30 38 5A 30 
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CBCD5078D752A28013DFFC8224AD114B 
BD7C1BB71E480AD6EEF9857A8C99C595 
9053EEDFE9 


01 D8 00 01 D5 30 82 01 D1 30 82 
01 02 02 08 33 FB B2 C@ Е9 57 5A 
2A 85 03 07 01 01 03 02 30 1F 31 
55 04 03 0C 14 74 65 73 74 5F 73 
67 6E 65 64 5F 63 65 72 74 30 1E 
36 32 37 31 35 32 34 30 38 5A 17 
31 38 31 35 33 34 30 38 БА 30 ТЕ 
03 55 04 03 0C 14 74 65 73 74 5F 
69 67 6E 65 64 5Е 63 65 72 74 30 
2A 85 0307 01 01 01 01 30 13 06 
02 23 01 06 08 2A 85 03 07 01 01 
04 40 67 81 BF EO 60 8C 14 66 73 
FA 82 02 07 26 3B 29 94 FB 9D FC 
31 65 B8 А5 53 B5 77 ЗЕ 36 D4 6C 
70 82 50 27 E7 26 78 6F A6 СА 7F 
F8 37 A3 81 96 30 81 93 30 1D 06 
16 04 14 E7 00 08 B8 4D 8D 24 18 
Е7 77 98 D4 8D 30 16 30 ВЕ 06 03 
FF 04 04 03 02 01 C6 30 12 06 03 
FF 04 08 30 06 01 01 FF 02 01 01 
1D 23 04 47 30 45 80 14 E7 ხმ 0B 
29 ЗЕ 05 C1 7C E7 77 98 D4 8D 38 
30 1F 31 1D 30 1B 06 03 55 04 03 
74 5F 73 65 6C 66 73 69 67 6E 65 
74 82 08 33 FB B2 C0 E9 57 5A 46 
85 03 07 01 01 03 02 03 41 00 E2 
55 E2 DB 5B 19 79 79 90 E4 B5 45 
9E E2 37 B7 54 CB CD 50 78 D7 52 
82 24 AD 11 4B BD 7C 1B B7 1E 48 
7A 8C 99 C5 95 90 53 EE DF E9 


16 


03 

03 

01DF 
0B0001DB0001D80001D5308201D13082 
017EA003020102020833FBB2C0E9575A 
46300A06082A85030701010302301F31 


8844F9F1C855E2DB5B19797990EA4B545 
2CF82FET1F19EE237B754CBCD5078D752 
A28013DFFC8224AD114BBD7C1BB71E48 
ӨАр6ЕЕР9857А8С99С5959053ЕЕРРЕ9 


0B 00 өт DB 00 өт рв өө 01 D5 зе 
01 7Е А0 03 02 01 02 02 08 33 ЕВ 
46 30 ӨА 06 08 2А 85 ӨЗ 07 01 01 
10 30 18 06 ӨЗ 55 04 ӨЗ ӨС 14 74 
65 6C 66 73 69 67 6E 65 64 5F 63 
правил 39-30-3632 3: 303532 
80 32 30 31 32 31 38 31 35 33 34 
31 1D 30 1B 06 03 55 04 03 ВС 14 
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00080: 74 65 73 74 БЕ 73 65 6С 66 
00090: 63 65 72 74 30 66 30 1Ғ 06 
000А0: 01 01 30 13 06 07 2А 85 03 
000В0: 85 03 07 01 01 02 02 03 43 
000С0: 60 8С 14 66 73 9В С4 05 10 
808008: 29 94 ЕВ 9D ЕС 5B 65 2Е А? 
000Е0: 77 ЗЕ 36 D4 6С C2 66 C2 FF 
000Ғ0: 78 6Е А6 C4 7Ғ 91 5D DC 71 
00100: 81 93 за 1D 06 ӨЗ 55 1D 0E 
00110: В8 40 80 24 18 29 ЗЕ 05 С1 
00120: 16 30 ВЕ 06 ӨЗ 55 1D OF 01 
00130: С6 30 12 06 03 55 10 13 01 
00140: 01 FF 02 01 01 30 4E 06 03 
00150: 80 14 E7 ре ВВ B8 40 8D 24 
00160: 77 98 D4 8D 30 16 АТ 23 А4 
00170: 06 03 55 04 03 ӨС 14 74 65 
00180: 73 69 67 6Е 65 64 БЕ 63 65 
00190: СӨ Е9 57 5А 46 30 ӨА 06 08 
001A0: 02 03 41 00 E2 88 44 F9 F1 
80188: 79 90 Е4 В5 45 2С F8 2Ғ ЕП 
001С0: Ср 50 78 р7 52 А2 80 13 РЕ 
80108: 7С 1В В7 1E 48 ӨА D6 ЕЕ Е9 
001Е0 53 ЕЕ ОР E9 
тэлэлт SaaS Se eae PESE. Server 
ServerHelloDone message: 
msg_type: дЕ 
length: 000000 
роду: -- 
00000: OE 00 00 00 
Record layer message:: 
type: 16 
version: 

major: 03 

minor: 03 
length: 0004 
fragment: 0Е000000 
00000: 16 03 ӨЗ 00 04 BE 00 00 00 
Т ОООО ООО О сее ст Сіїепі 
PMS: 
00000: 
00010: 


Random d eph value: 


0xA5C77C7482373DE16CE4A6F73CCE7F78 
471493FF2C0709B8B706C9E8A25E6CT1E 


0 ерһ ephemeral key: 


73 
08 
02 
00 
BF 
р4 
В4 
Ge 
94 
7C 
01 
01 
55 
18 
21 
73 
72 
2А 
C8 
F1 
FC 
85 


X = 0xA8F36D63D262A203978F1B3B6795CDBB 
F1AE7FB8bEF7FA7F1F18871C198E00793 
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82 
7А 


67 
85 
23 
40 
82 
65 
82 
37 
04 
ТИ) 
04 


GOST Cipher Suites for TLS 1.2 


6E 
83 
81 
67 
82 
В8 
50 
АЗ 
14 
98 
04 
08 
04 
05 
31 
73 
08 
07 
ОВ 
37 
AD 
99 


A5 57 6C E7 92 АА 24 F5 81 13 80 8D BD 9E F8 56 
F5 BD C3 B1 83 CE 5D AD CA 36 А5 ЗА Ад 77 65 1D 
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у = 0х34СА50684485640ЕА195435993ВЕВ1Е8 
B016ED610496B5CC175AC2EA1F14F887 


HASH (r.c | 


00000: 
00010: 


51) 
C3 EF 04 28 D4 B7 А1 F4 C5 02 БЕ 2E 65 DD 2B 2E 
A5 83 AE ЕР DB 67 C7 F4 21 АА 6A 29 8E 99 ЕЗ 25 


Export key generation. r value: 
OxC3EF0428D4B7A1F4C5025F2E65DD2B2E 


Export key generation. UKM value: 
OxC3EF0428D4B7A1F4C5025F2E65DD2B2E 


seed: 
00000: 


KeEXPs 
00000: 
00010: 


A5 83 AE EF DB 67 C7 F4 


1E 
4F 


Export keys 


58 54 90 E8 65 FF D1 ВЕ 18 07 CO Ад 4D OE ЕЗ 
ТА 5D 79 7C EF AD АӨ 1B 1E ЗВ 7F DB 90 EO 29 


K Exp. MAC | K Exp. ENC used in KExp15 algorithm: 


00000: 2D 8B A8 
00010: 23 25 4F 
00020: 84 9E B6 
00030: ТЕ 8F ОС 
IV: 

00000: 21 4A 6A 
PMSEXP: 

80008: D7 F0 ЕФ 
80018: DE 92 Е9 
00020: В2 В7 ВЕ 
ClientKeyExchange 
msg_type: 

length: 

body: 


exchange_keys: 


00000: 
00010: 
00020: 
00030: 
00040: 
00050: 
00060: 


10 
7В 
16 
5С 
13 
01 
Е1 
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90 
25 
C9 
30 
06 
01 
Е1 


80 
ҒА 
9F 
66 
07 
02 
47 


C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 
71 E5 69 6D 3D 29 C3 Е4 C9 DA A6 B2 93 
34 0B FF AE 69 28 АЗ C3 Е4 FF 92 ЕС CB 
F7 АТ 88 36 ЗЕ 6B 74 ВЕ 52 EA 37 8B ӨС 


29 


42 23 67 86 7B 25 FA 42 33 A9 54 F5 8B 
C9 BB FB 88 16 C9 9F 15 E6 39 87 22 A0 
E8 49 3E 9A 5C 


message: 
10 
000095 


3081920428D7F0F0422367867B25FA42 
33A954F58BDE92E9CO9BBFB8816C99F15 
E6398722A0B2B7BFE8493E9A5C306630 


EFB87FAEF1BBCD95673B1B8F9703A262 
D2636DF3A887F8141FEAC25A17CCB596 
0461ED16B0F8B1BE93594395A10E6485 
446B5DCA34 


95 30 81 92 04 28 D7 F0 F0 42 23 67 86 
42 33 A9 54 F5 8B DE 92 Е9 C9 ВВ FB 88 
15 E6 39 87 22 Ад B2 B7 BF E8 49 ЗЕ 9A 
30 1F 06 08 2A 85 03 07 01 01 01 01 30 
2A 85 03 02 02 23 01 06 08 2A 85 03 07 
02 03 43 00 04 40 93 07 Ед 98 C1 71 88 
7F EF B8 7F AE F1 BB CD 95 67 3B 1B 8F 
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00870: 97 03 А2 62 D2 63 6D ҒЗ А8 87 F8 14 1F EA C2 5A 
00080: 17 CC B5 96 04 61 ED 16 ВО F8 B1 ВЕ 93 59 43 95 
00090: АТ ӨЕ 64 85 44 6B 5D СА 34 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


16 


83 

83 

0099 
10000095308192042807Ғ0Ғ042236786 
7B25FA4233A954F 58BDE92E9CIBBFB88 
16C99F15E6398722A0B2B7BFE8493E9A 


F1F1477FEFB87FAEF1BBCD95673B1B8F 
9703A262D2636DF3A887F8141FEAC25A 
17CCB5960461ED16B0F8B1BE93594395 
A10E6485446B5DCA34 


10 00 00 95 30 81 92 04 28 D7 ҒО 
7B 25 FA 42 33 A9 54 F5 8B DE 92 
16 C9 9F 15 E6 39 87 22 АВ B2 B7 
5C 30 66 30 1F 06 08 2A 85 03 07 
13 06 07 2A 85 03 02 02 23 01 06 
81 01 02 02 03 43 00 04 40 93 07 
ЕТ ЕТ 47 7F EF B8 7Ғ AE ЕТ BB CD 
97 03 A2 62 D2 63 6D ҒЗ А8 87 F8 
17 CC B5 96 04 61 ED 16 BO F8 B1 
АТ ӨЕ 64 85 44 6B 5D CA 34 


ЕЕ асас засаа асаана IS EC === === 


PMSEXP extracted: 

00000: 07 F0 FO 42 
80018: DE 92 E9 C9 
00020: В2 В7 ВҒ Е8 


HASH(r_c | г.в): 
00000: СЗ ЕҒ 04 28 
00010: А5 83 АЕ EF 


Export key generation. 
@xC3EF0428D4B7A1F4C5025F2E65DD2B2E 


67 86 7B 25 FA 42 33 А9 54 F5 8B 
FB 88 16 C9 9F 15 E6 39 87 22 A0 
3E 9A 5C 


B7 АТ F4 C5 02 БР 2E 65 DD 2B 2E 
67 C7 F4 21 4A 6A 29 8E 99 ЕЗ 25 


r value: 


Export key generation. UKM value: 
OxC3EF0428DA4B7A1F4C5025F2E65DD2B2E 


seed: 


00000: A5 83 AE EF DB 67 C7 F4 


K EXP: 


00000: ТЕ 58 54 90 E8 65 FF D1 8F 18 07 CO Ад 4D OE ЕЗ 
00010: ДЕ ТА 5D 79 7C EF AD Ад 1B ЛЕ ЗВ 7F DB 90 Ед 29 


Import keys К Imp. MAC 


K Imp. ЕМС used in KImp15 algorithm: 


00000: 2D 8B A8 C8 4C B2 32 FF 41 F1 0C 3A D9 24 13 42 
00010: 23 25 4F 71 E5 69 6D 3D 29 C3 E4 C9 DA A6 B2 93 
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00020: 84 9E B6 34 0B FF АЕ 69 28 АЗ 
00030: ТЕ 8F 0C F7 АТ 88 36 8E 6B 74 


00000: 21 4A 6A 29 


00000: A5 57 6C E7 92 4A 24 F5 81 13 
00010: F5 BD C3 B1 83 CE 5D AD CA 36 


SRR SSIS SRS Sao Sra SOB ores CI IC Iს E 


HASH(HM) : 
00000: 7Е 1F 59 D3 64 9D B6 09 00 EA 
00010: 92 77 ВЗ 04 50 58 4C F5 43 51 


MS: 

00000: FD D2 7С ВА 04 AD АЕ 44 49 68 
00010: 02 ЕҒ 41 01 93 ЗВ 52 77 А4 А9 
00020: 32 4F D8 A6 09 07 CB BO 3D ЕЗ 


Client connection key material 


K_write_MAC|K_read_MAC | K_write_ENC|K_read_ENC|IV_write|IV_read: 


00000: DD 4Е 10 17 ЕЗ 09 1F FD 86 75 
00010: ЗВ ВЕ 69 ЕС А6 93 31 5С А8 5В 
00020: 1D 64 D@ 23 46 5F 8B EA 17 F8 
00030: 09 ВВ AB A7 ВА DF 03 АТ 7C Ед 
00040: ЕС 88 34 59 СЕ 54 РЕ 44 9А 04 
00050: 75 10 32 55 9D 07 B6 C4 EA C6 
00060: B9 OE 2A ЕЕ 98 77 14 ВВ D8 F7 
00870: 47 ВЗ 94 2Е ВА ЗЕ 26 35 73 1С 
00080: 2B 6А 81 ЗЕ 93 ED А6 ҒА 


Seana Shier аы ышын сетете 


HASH(HM) : 
00000: 7E 1F 59 D3 64 9D B6 09 00 EA 
00010: 92 77 B3 04 50 58 4C F5 43 51 


MS: 

00000: FD D2 7C B4 04 AD 4E 44 49 68 
00010: 02 EF 41 01 93 ЗВ 52 77 А4 А9 
00020: 32 4F 08 A6 09 07 CB BO 3D ҒЗ 


Server connection key material 


К read. МАС|К write МАС|К read. ЕМС|К write. ЕМС | ТУ. read|IV write: 


00000: DD 4E 10 17 ЕЗ 09 ІҒ FD 86 75 
00010: ЗВ ВЕ 69 EC A6 93 31 5C А8 5B 


C3 Е4 FF 92 


8b 52 


80 8D 
A5 3A 


65 8A 
ЕВ Аб 
12 Е8 
E1 3B 
07 64 
75 48 
57 AE 
4С 28 


65 8A 
E@ А6 


00020: 1D 64 09 23 46 5F 8B EA 17 F8 12 F8 
00030: 09 BB AB A7 ВА DF 03 АТ 7C Ед ЕТ 3B 
00040: FC 8B 34 59 CF 54 FE 44 9A 04 07 64 
00050: 75 10 32 55 9D 07 B6 C4 EA C6 75 48 
00060: B9 OE 2A EE 98 77 14 BB D8 F7 57 AE 
00070: 47 ВЗ 94 2Е ВА ЗЕ 26 35 73 1C 4C 28 
00080: 2B 6A 81 3F 93 ED A6 FA 
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EA 


BD 
Ад 


78 
14 
C2 
2D 
53 
71 
E 
22 


78 
14 
C2 
2D 
53 
71 
E 
22 


37 


9E 
77 


00 
3D 
D8 
63 
73 
BC 
84 
рд 


217) 
3D 
D8 
63 
73 
BC 
84 
рд 


ЕС 
8В 


F8 
65 


90 
C9 
BF 
65 
08 
97 
FF 
2D 


90 
C9 
BF 
65 
08 
97 
FF 
2D 


CB 
0C 


56 
16 


09 
F8 
са 
ЕЗ 
80 
8A 
24 
79 


89 
F8 
са 
ЕЗ 
80 
8А 
24 
79 
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ChangeCipherSpec message: 


type: 
00000: 01 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 14 03 03 00 01 


HASH(HM) : 
00000: 7E 1F 59 D3 64 
00010: 92 77 B3 04 50 


client. verify. data: 
00000: B4 61 C5 AD 25 
00010: C6 68 3M ЗУ ВВ 


Finished message: 

msg_type: 

length: 

body: 
verify_data: 


00000: 14 00 00 20 В4 
00010: 18 СВ 16 91 ЕС 
00020: 65 53: 8” АБ 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 16 83 03 00 2С 
00010: 40 30 2D ОВ 8F 
00020: 92 89 2С 03 С7 
00030: ВЕ 
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9D B6 09 00 EA АҒ 8A 58 5A 65 7A 
58 4C F5 43 51 19 8C DE АЗ 0C 49 


EA ТЕ 62 ВЗ 70 BD 1F 1B CB 16 91 
BC 13 43 BE 54 B3 8D F5 53 B7 A5 


14 
000020 


B461C5AD25EA1E62B370BD1F1BCB1691 
FCCCBA378BBC1343BE54B38DF553B7A5 


61 C5 AD 25 EA 1E 62 B3 70 BD 1F 
CC BA 37 8B BC 13 43 BE 54 B3 8D 


16 


03 

03 

002C 
0C630271DADA39DD8D6BD040302D9B8F 
33D5F7B967EED155F7D65592892C03C7 
885C249B1225B184ABA4D5DBF 


0C 63 02 71 D4 DA 39 DD 8D 6B DO 


33 D5 F7 B9 67 EE D1 55 F7 D6 55 
88 5C 24 9B 12 25 B1 84 AB 4D 5D 
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ChangeCipherSpec message: 


type: 
00000: 01 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 14 83 03 00 


HASH(HM) : 
00000: 
00010: 


DB D7 D8 93 
AF E@ 77 DA 


server_verify_data: 
00000: 45 39 ЕС 8D 
00010: 03 4С 47 19 


Finished message: 

msg_type: 

length: 

body: 
verify_data: 


00000: 
00010: 
00020: 


14 00 00 20 
4A 43 77 71 
53 55 0C 00 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


GOST Cipher Suites for TLS 1.2 


82 4A ED FD D5 FB 7B 75 4B 47 E1 E6 
E6 D1 13 63 42 07 C7 EE OF С6 ЕЗ В1 


ӨА F7 В1 А6 20 41 АВ 43 АА 43 77 71 
D8 6E BB FD ОҒ 28 СЗ Е9 53 55 ВС DO 


14 
000020 


4539EC8D0AF7B1A62041AB434A437771 
D34C4719D86EBBFDOF28C3E953550CD0 


45 39 EC 8D 0A F7 B1 A6 20 41 AB 43 


D3 


4C 47 19 D8 6E BB FD ОҒ 28 (3 Е9 


16 


03 

03 

002C 
E6A94A4BF70886566A2316811E57B483 
BB1E47950A1FF820A80DCA77AA4DF9954 
2DAB6953F3ED03D95CCA4748 


00000: 16 03 ӨЗ 00 2C E6 A9 4A 4B F7 08 86 56 6A 23 16 
00010: 81 1E 57 B4 83 BB 1E 47 95 0A 1F F8 20 A8 0D CA 
00020: 77 A4 DF 99 54 2D AB 69 53 F3 ED 03 D9 5C CA 47 


00030: 48 
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Application data: 
80008: 00 00 00 00 00 
00010: 00 00 00 00 00 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 17 03 03 00 28 
00010: 77:258 ӨЗГІВСЕР 
00020: РА 28 57 20 37 


Application data: 
00000: ЕЕ ЕЕ ЕЕ ЕЕ ЕЕ 
00010: FF ЕЕ ЕЕ FF ЕЕ 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 17 83 03 00 28 
00010: ЗЕ 39 09 ВВ ЕЕ 
00020: 82 B3 ЗВ CO 7F 


close. notify alert: 
Alert: 
level: 
description: 


00000: 01 00 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
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00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 


17 


83 

83 

8028 
38807B6E5EO0C3FAF7E0DBF7758031BF0 
7F100CAB63ADBC75F49BCBF428572D37 
7CAED097336DB203 


38 80 7B 6E 5E 0C ЗЕ 4F 7E 0D BF 
7F 10 0C 4B 63 AD BC 75 F4 9B CB 
7C AE рд 97 33 6D B2 03 


FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF 


17 


03 

03 

0028 
05B869E5C979C3B9D4837B8E39D9BBEE 
1BBD0052D3D48340D0CDE082B33BC07F 
4E742D1113249AD8 


05 B8 69 E5 C9 79 C3 B9 04 83 7B 
1B BD 00 52 рз D4 83 40 00 CD Ед 


4E 74 2D 11 13 24 9A D8 


01 
00 


15 
03 


03 
000A 
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fragment: 
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4F2A0807A0374E28C632 


00000: 15 03 03 00 OA АҒ 2A 08 07 Ад 37 4E 28 C6 32 


close. notify alert: 
Alert: 
level: 
description: 


00000: 01 00 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


01 
00 


15 


03 

03 

000A 
999468В49АС5В0рЕ512С 


00000: 15 03 ӨЗ 00 0A 99 94 68 84 9A C5 BO DE 51 2С 
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А.1.3.2. TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC Cipher Suite 
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Server certificate curve OID: 
id-tc26-gost-3410-2012-512-paramSetC, "1.2.643.7.1.2.1.2.3" 


Server public key 0 з: 

X = 0xF14589DA479AD972C66563669B3FF580 
92E6A30A288BF447CD9FF6C3133E9724 
749706B267703C9B4E239F0D7C7E3310 
C22D2752B35BD2E4FD39B8F11DEB833A 


у = OxF305E95B36502D4E60A1059FB20AB30B 
FC7C95727F3A2C04B1DFDDB53B0413F2 
99F2DFE66A5E1CCB4101A7A01D612BE6 
BD78E1E3B3D567EBB16ABE587A11F4EA 


Server private key d_s: 

0x12FD7A70067479A0F66C59F9A25534AD 
FBC7ABFD3CC72D79806F8B402601644B 
3005ED365A2D8989A8CCAE640D5FC08D 
D27DFBBFE137CF528E1AC6D445192E01 


Client certificate curve OID: 
id-tc26-gost-3410-2012-256-paramSetA, "1.2.643.7.1.2.1.1.1" 


Client public key 0 с: 
X з 0x0F5DB18A9E15F324B778676025BFD7B5 
DF066566EABAA1C51CD879F87B0B4975 


у = Ox9EE5BBF18361F842D3F087DEC2943939 
EOFA2BFBAEDEC25A8D10ABB22C48F386 


Client private key d. c: 
0x0918AD3F7D209ABF89F1E8505DA894CE 
E10DA09D32E72E815D9C0ADA30B5A103 


васат i Ur CIE eU терде EE 
ClientHello message: 
msg. type: 01 
length: 000040 
body: 
client. version: 
major: 03 
minor: 03 
random: 933EA21EC38024561550EC78D6ED51AC 


2439D7E749C31BC3A3456165889684CA 
session_id: 


length: 00 
vector: -- 
cipher_suites: 
length: 0004 
vector: 
CipherSuite: C100 
CipherSuite: C101 
compression methods: 
length: 01 
vector: 
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CompressionMethod: 00 
extensions: 
length: 8013 
vector: 
Extension: /* signature_algorithms */ 
extension. type:  000D 
extension. data: 
length: 0006 
vector: 
supported. signature. algorithms: 
length: 0004 
vector: 
/* 1 pair of algorithms */ 
hash: 08 
signature: 
40 
/* 2 pair of algorithms */ 
hash: 08 
signature: 
41 
Extension: /* renegotiation info */ 
extension type: FF@1 
extension. data: 
length: 0001 
vector: 
renegotiated. connection: 
length: 00 
vector: == 
Extension: /% extended_main_secret */ 
extension_type: 0017 
extension_data: 
length: 0000 
vector: == 


00000: 01 00 00 40 
00010: ЕС 78 D6 ED 
00020: 61 65 88 96 
00030: 13 00 өр 00 
00040: 00 17 00 00 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 16 03 03 00 
00010: 80 2А 56 15 
00020: СЗ 18 СЗ АЗ 
00030: (012451 голова 
00040: FESO 00 01 
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03 
51 
84 
06 


44 
50 
45 
00 
00 


03 93 ЗЕ A2 1E C3 80 2A 56 15 50 
AC 24 39 D7 E7 49 C3 1B C3 A3 45 
CA 00 00 04 C1 00 C1 01 01 00 00 
00 04 08 40 08 41 FF 01 00 01 00 


16 


03 

03 

0044 
010000400303933EA21EC3802A561550 
EC78D6ED51AC2439D7E749C31BC3A345 
6165889684CA000004C100C101010000 
1300000006000408400841ҒҒ01000100 
00170000 


81 00 00 40 03 03 93 ЗЕ А2 ЛЕ C3 
ЕС 78 D6 ED 51 АС 24 39 D7 Е/ 49 
61 65 88 96 84 СА 00 00 04 С1 00 
13 00 80 00 06 00 04 08 40 08 41 
00 17 00 00 
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Е E tl с Бегмеп----------- ааа ааа 
ServerHello message: 
msg_type: 92 
length: 000041 
роду: 
server_version: 
major: 93 
тіпог: 93 
гапдот: 933EA21E49C31BC3A3456165889684CA 


A5576CE7924A24F58113808DBDOEF856 
session. id: 


length: 10 
vector: C3802A561550EC78D6ED51AC2439D7E7 
cipher. suite: 
CipherSuite: C100 


compression. method: 
CompressionMethod: 00 
extensions: 
length: 0009 
vector: 
Extension: /* renegotiation info */ 
extension type:  FF801 
extension. data: 


length: 0001 
vector: 
renegotiated connection: 
length: 00 
vector: -- 


Extension: /% extended_main_secret */ 
extension_type: 0017 
extension. data: 
length: 0000 
vector: -- 


00000: 02 00 00 41 03 03 93 3E A2 1E 49 C3 1B C3 A3 45 
00010: 61 65 88 96 84 CA A5 57 6C E7 92 4A 24 F5 81 13 
00020: 80 8D BD 9E F8 56 10 C3 80 2A 56 15 50 EC 78 D6 
00030: ED 51 AC 24 39 D7 E7 C1 00 00 00 09 FF 01 00 01 
00040: 00 00 17 00 00 


Record layer message: 


type: 16 
version: 
major: 03 
minor: 03 
length: 0045 
fragment: 020000410303933EA21E49C31BC3A345 


00000: 
00010: 
00020: 
00030: 


16 03 03 00 
C3 1B C3 АЗ 
4A 24 F5 81 
15 50 EC 78 
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45 
45 
18 
06 


6165889684CAA5576CE7924A24F58113 
808DBD9EF85610C3802A561550EC78D6 
ED51AC2439D7E7C100000009FF010001 
0000170000 


02 00 00 41 03 03 93 ЗЕ A2 1E 49 
61 65 88 96 84 CA A5 57 6C E7 92 
80 8D BD 9E F8 56 10 C3 80 2A 56 
ED 51 AC 24 39 D7 E7 C1 00 00 00 
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00040: 
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09 FF 01 00 01 00 00 17 00 00 


Certificate message: 


82 
Ад 
01 
F7 
76 
6F 
65 
32 
31 
2А 
БЕ 
74 
83 
21 
85 
82 
Ер 
4Е 
Ср 
С6 
В1 
41 
В1 
60 
83 
4А 
55 
84 
86 
38 
FA 
D7 
75 
49 


4C 
03 
01 
р 
65 
2Е 
72 
35 
30 
86 
73 
6F 
13 
86 
83 
83 
Е4 
9B 
47 
72 
EB 
CB 
84 
4E 
55 
58 
1р 
ас 
88 
51 
05 
Ср 
А5 
рд 


msg_type: 
length: 
body: 
certificate_list: 
length: 
vector: 
ASN.1Cert: 
length: 
vector: 
80008: OB өө 
00010: 01 АЕ 
00020: 03 07 
00030: 48 86 
00040: 65 72 
00050: 70 72 
00060: 09 53 
00070: 30 35 
00080: 35 30 
00090: 06 09 
000А0: 31 32 
80088: 79 70 
800С8: 55 04 
80008: АА 30 
000Е0: 09 2А 
000F0: 01 01 
00100: B8 39 
00110: 9Е 23 
00120: F6 9F 
00130: 63 65 
00140: ВЕ 6A 
00150: A7 01 
00160: DD DF 
09179: 05 А1 
00180: 10 06 
00190: 89 СВ 
901А8: 06 03 
90188: 109” ФА 
001С0: 30 0A 
00100: 35 ВЕ 
001Е0: 52 42 
001Ғ0: 12 АҒ 
00200: 99 99 
00210: 31 10 
00220: 8В 36 
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6D 


FE 


00 
02 
03 
01 
72 
772. 
76 
30 
39 
48 
65 
70 
89 
88 
87 
83 
р2 
3C 
F4 
09 
67 
1C 
2C 
2D 
1D 
49 
ӨР 
30 
2А 
ЕС 
46 
ВВ 
8A 
AQ 
FA 


00024C 
000249 


000246 

308202423082014ЛЕА003020102020101 
300A06082A850307010103033042312C 
302A060924864886F70D010901161D74 


371AF83C5BC58B366DFEFA7345D50317 
867C1774C84AC07EE8612164629AB7BD 
C48AA0F64A741FE7298bE82C5BFCE8672 
029F875391F7 


02 49 00 02 46 30 82 02 42 30 82 
01 02 02 01 01 30 BA 06 08 2A 85 
03 30 42 31 2C 30 2A 06 09 2A 86 
09 91 16 1 274 6С 73 31 32 БЕ 773 
35 31 32 43 40 63 72 79 79 74 6F 
75 31 12 30 10 06 03 55 04 03 13 
65 7235, 31 3- 30 ЛЕ ПУ შს 31 37 
39: 32735531 38 ЗА 17 00 33 307360 
32 35 31 38 5A 30 42 31 2С 30 2A 
86 F7 00 01 09 01 16 1D 74 6C 73 
#2. #6, 65 72 353) 32 43220963272 
72 6” 2 2-5 За 02 309-)|0 06-03 
53 65 /> бл 65. 720353) 3273068 
2А 85 03 07 01 01 01 02 30 15 06 
01 02 01 02 03 06 08 2А 85 03 07 
81 84 00 04 81 80 3A 83 EB 1D F1 
58 ВЗ 52.27 20 62: 107337 7Е 76: ВО 
70 67 В2 06 97 7A 24 97 ЗЕ 13 C3 
8B 28 0A A3 Е6 92 80 F5 ЗЕ 9B 66 
9A 47 DA 89 45 F1 EA FA 11 7A 58 
D5 ВЗ ЕЗ E1 78 BD E6 2B 61 1D А0 
5E 6A E6 DF F2 99 F2 13 04 3B B5 
3A 7F 72 95 7C FC 0B B3 0A B2 9F 
50 36 5B E9 05 F3 A3 43 30 41 30 
OE 04 16 04 14 87 9C C6 5A OF 4A 
DF 05 61 56 9B AA DC 11 69 30 0B 
04 04 03 02 03 28 30 13 06 03 55 
0A 06 08 2B 06 01 05 05 97 03 01 
85 03 07 01 01 03 03 03 81 81 00 
B6 Е9 2D 32 40 01 81 ОҒ 8C 89 03 
9F 4C 4E CB 05 02 7C 57 E2 71 52 
ӨС ED 7A 8B 4D 33 42 CC БОЛА BD 
DE 0Е 58 АР CA 35 F5 2E 45 58 B7 
ა) 32 го 39-37 I EG ЗС 5В 65 
73 45 05 03 17 86 7C 17 7A C8 4A 
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00230: СӨ 7E Е8 61 21 64 62 9A B7 BD C4 8A А0 F6 АА 74 
00240: ТЕ E7 29 ВЕ 82 C5 BF CE 86 72 02 ОҒ 87 53 91 F7 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 
00000 16 
00010 82 
00020 OA 
00030 2А 
00040 73 
00050 72 
00060 03 
00070 ПЕ 
00080 17 
00090 42 
000А0 16 
00080 32 
000C0 12 
8080080 35 
000Е0 01 
000Ғ0 08 
00100 ЗА 
00110 10 
00120 24 
00130 80 
00140 ЕА 
00150 E6 
801680 Е2 
00170 08 
00180 #3 
00190 9C 
001A0 DC 
001B0 30 
001C0 05 
001D0 03 
001Е0 81 
дата 7C 
00200 42 
00210 Е5 
00220 1А 
00230 70 
00240 8А 
00250 ОЕ 
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16 


03 

03 

0250 
0B00024C000249000246308202423082 
01AEA003020102020101300A06082A85 
0307010103033042312C302A06092A86 


8B366DFEFA7345D50317867C177AC84A 
C@7EE8612164629AB7BDC48AAQF64A74 
1FE7298E82C5BFCE8672029F875391F7 


0B 00 02 4С 00 02 49 00 02 46 30 
01 AE Ад 03 02 01 02 02 01 01 30 
03 07 01 01 03 03 30 42 31 2C 30 
48 86 F7 0D 01 09 01 16 1D 74 6C 
65 72 76 65 72 35 31 32 43 40 63 
ПОТУ КЫ ა 721275 3) 2300810906 
89 53 65 72 76 65 72 35 31 32 38 
30 35 32 35 30 39 32 35 31 38 5A 
35 30 3) 30 39“ 32 35 ვე 385 5 30 
06 09 2A 86 48 86 F7 00 01 09 01 
31 32 5F 73 65 72 76 65 72 35 31 
ӘР 702574556ЕБи 027250 2- 02-25 е 
55 04 03 13 09 53 65 72 76 65 72 
АА 39 21 06 08 2А 85 03 07 01 01 
09 2А 85 03 07 01 02 01 02 03 06 
01 01 02 03 03 81 84 00 04 81 80 
B8 39 FD Е4 D2 5B B3 52 27 2D C2 
9F 23 4E 9B 3C 70 67 В2 06 97 7A 
F6 9F CD 47 F4 8B 28 ӨА АЗ E6 92 
63 65 C6 72 D9 9A 47 DA 89 45 F1 
BE 6A B1 EB 67 D5 ВЗ ЕЗ E1 78 BD 
A7 01 41 CB 1C 5E 6A E6 DF F2 99 
DD DF B1 04 2C 3A 7F 72 95 7C FC 
05 АТ 60 ДЕ 2D 50 36 5B Е9 05 ЕЗ 
1D 06 03 55 1D 0E 04 16 04 14 87 
89 CB 4A 58 49 DF 05 61 56 9B AA 
06 03 55 1D ОҒ 04 04 03 02 03 28 
1D 25 04 0C 30 0A 06 08 2B 06 01 
30 0A 06 08 2A 85 03 07 01 01 03 
35 BE 38 51 EC B6 E9 2D 32 40 01 
52 42 F4 05 46 ОЕ 4C 4E CB 05 02 
12 AF D7 CD BB 0C ED 7A 8B 4D 33 
99 99 75 A5 8A DE OE 58 4F CA 35 
31 1D 49 00 Ад 51 32 79 F7 39 37 
8B 36 6D FE FA 73 45 D5 03 17 86 
CO 7E Е8 61 21 64 62 9A B7 BD C4 
ПЕЕ 29 ВЕ 82 Со ВЕ СЕ 86 72-02 
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CertificateRequest message: 


msg_type: өр 
length: 000008 
роду: 
certificate_types: 
length: 92 
vector: 
/* gost_sign256 */ 
43 
/* gost_sign512 */ 
44 
supported_signature_algorithms: 
length: 0004 
vector: 
/* 1 pair of algorithms */ 
hash: 88 
signature: 40 
/% 2 pair of algorithms */ 
hash: 88 
signature: 41 
certificate_authorities: 
length: 0000 
vector: -- 


00000: OD 00 00 0B 02 43 44 00 04 08 40 08 41 00 00 


Record layer message: 


type: 16 
version: 
major: 03 
minor: 03 
length: 000F 
fragment: 0D00000B0243440004084008410000 


00000: 16 03 ӨЗ 00 ӨЕ 0D 00 00 ОВ 02 43 44 00 04 08 40 
00010: 08 41 00 00 


явган иа ei ы шыкшы Serve аа та ы алы малыс 
ServerHelloDone message: 
msg_type: OE 
length: 000000 
роду: -- 
00000: OE 00 00 00 
Record layer message: 
type: 16 
version: 
major: 03 
minor: 03 
length: 0004 
fragment: 0Е000000 


00000: 16 03 ӨЗ 00 04 BE ӨӨ 00 00 
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FI a Dl ah Үүл сес степе ЕЕЕ 
Certificate message: 
msg_type: 08 
length: 0001EA 
body: 
certificate list: 
length: 0001E7 
vector: 
ASN.1Cert: 
length: 0001Е4 
vector: 308201E03082018DA003020102020101 


300A06082A850307010103023053312E 
302С06092А864886Е70р010901161Е74 


C1CABA43AC01AFBOF3451BDC2DB188BBC 
B77884251CDF6037BA830F4B31D5E96F 
DC9BC1C95ABE658266C48402E070DE1F 
292724E8 


00000: 0B 00 01 EA 00 01 E7 00 01 Е4 30 82 01 E0 30 82 
00010: 01 8D AO 03 02 01 02 02 01 01 30 0A 06 08 2A 85 
00020: 03 07 01 01 03 02 30 53 31 2E 30 2C 06 09 2A 86 
00030: 48 86 F7 0D 01 09 01 16 1F 74 6C 73 31 32 5F 63 
00040: 6C 69 65 6E 74 32 35 36 41 5F 45 40 63 72 79 70 
00050: 74 6F 70 72 6F 2E 72 75 31 21 30 ТЕ 06 03 55 04 
00060: 03 1E 18 00 43 00 6C 00 69 00 65 00 6E 00 74 00 
00070: 32 00 35 00 36 00 41 00 5F 00 45 30 1E 17 0D 31 
00080: 37 30 35 32 35 30 39033 3) 3) 38 5M I 9) 33-30 
00090: 3090-3530 ЗЛЕ 30 393383 3) 386 53053 3.3 2- 30 
000A0: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 
000B0: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 
000С0: 40 63 #2 -/9 780 а 6 207256 Ере? Ере /2 5-3) 2I 30 
808068: 1F 06 03 55 04 03 ЛЕ 18 00 43 00 6С 00 69 00 65 
000Е0: 00 6Е 00 74 00 32 00 35 00 36 00 41 00 5Е 00 45 
000F0: 30 68 30 21 06 08 2A 85 03 07 01 01 01 01 30 15 
00100: 06 09 2A 85 03 07 01 02 01 01 01 06 08 2А 85 03 
00110: 07 01 01 02 02 ӨЗ 43 00 04 40 75 49 ӨВ 7B F8 79 
00120: D8 1C C5 A1 BA EA 66 65 06 DF B5 D7 BF 25 60 67 
00130: 78 B7 24 F3 15 9E 8A B1 5D 0F 86 F3 48 2C B2 AB 
00140: 10 8D 5A C2 DE ДЕ FB 2B FA Ед 39 39 94 C2 DE 87 
00150: FO D3 42 F8 61 83 ЕТ BB E5 9E АЗ 43 30 41 30 1D 
00160: 06 03 55 1D ӨЕ 04 16 04 14 74 49 ЛЕ 77 30 рз 42 
00170: Аб 28 ВЕ 72 АТ 13 9D 09 90 8B FA F1 03 30 0B 06 
00180: 03 55 1D ОҒ 04 04 03 02 07 80 30 13 06 03 55 10 
00190: 25 04 0C 30 0A 06 08 2B 06 01 05 05 07 03 02 30 
001A0: 0A 06 08 2A 85 03 07 01 01 03 02 03 41 00 1C 2D 
001B0: 35 22 ВА 11 02 D6 20 1Ғ 23 50 C1 CA ВА ЗА СО ТА 
001С0: ЕВ ӨЕ 34 51 BD C2 DB 18 8B BC В7 78 84 25 1С DF 
00100: 60 37 ВА 83 ОҒ 4B 31 05 Е9 6F DC 9B CI C9 БА ВЕ 
001Е0: 65 82 66 C4 84 02 EO 70 DE ТЕ 29 27 24 ЕВ 


Record layer message: 


type: 16 
version: 
major: 03 
тіпог: 03 
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length: 91ЕЕ 

Тгадтепі: 0В0001 ЕА0001Е70001Е4308201Е03082 
01804Л0030201020201013004А06082А85 
0307010103023053312Е302С06092А86 


3522В4110206201Ғ2350С1САВАЗАСОЛА 
FBOF3451BDC2DB188BBCB77884251CDF 
6037BA830F4B31D5E96FDC9BC1C95ABE 
658266C48402E070DE1F292724E8 


00000: 16 03 03 01 EE 0B 00 01 EA 00 01 E7 00 01 E4 30 
00010: 82 01 Ед 30 82 01 8D Ад 03 02 01 02 02 01 01 30 
00020: 0A 06 08 2A 85 03 07 01 01 03 02 30 53 31 2E 30 
00030: 2C 06 09 2A 86 48 86 F7 0D 01 09 01 16 1F 74 6C 
00040: 73 31 32 5F 63 6C 69 65 6E 74 32 35 36 41 5F 45 
00050: 40-63 72 /9 70/4” 6Е 70 72 6 2: 722752300 21 За 
000690: 1F 06 03 55 04 03 1E 18 00 43 00 6C 00 69 00 65 
00870: 00 6Е 00 74 00 32 00 35 00 36 00 41 00 5Е 00 45 
00080: 30 1E 17 OD 31 37 30 35 32 35 30 39 33 31 31 38 
00090: БА 17 0D 33 30 30 35 30 31 30 39 33 31 31 38 5A 
000A0: 30 53 31 2b 30 2C 06 09 2A 86 48 86 F7 0D 01 09 
000890: 01 16 ТЕ 74 6C 73 31 32 БЕ 63 6C 69 65 6E 74 32 
000С0: 35 36 41 5F 45 40 63 72 79 70 74 6F 70 72 6F 2E 
000р0: 72 75 31 21 30 1F 06 03 55 04 03 ЛЕ 18 00 43 00 
000Е0: 6С 00 69 00 65 00 6Е 00 74 00 32 00 35 00 36 00 
000Ғ0: 41 00 5F 00 45 30 68 30 21 06 08 2A 85 03 07 01 
00100: 0) 0) 0) За 15 06 09 2“ 85 03 097 9, 02 0) отот 
00118: 06 08 2А 85 03 07 01 01 02 02 03 43 00 04 40 75 
00120: 49 08 7В F8 79 08 1С C5 А1 ВА EA 66 65 06 DF В5 
00130: D7 ВЕ 25 60 67 78 В7 24 F3 15 9Е 8A В1 50 ОҒ 86 
00140: F3 48 2C B2 AB 10 8D БА C2 DE 4E FB 2B FA Ед 39 
00150: 39 94 C2 DE 87 F0 D3 42 F8 61 83 ЕТ BB Е5 9E АЗ 
00160: 43 30 41 30 1D 06 03 55 1D OE 04 16 04 14 74 49 
00170: 1E 77 30 D3 42 A6 28 ВЕ 72 АТ 13 90 09 90 8B FA 
00180: F1 03 30 0B 06 03 55 1D ОҒ 04 04 03 02 07 80 30 
00190: 13 06 03 55 1D 25 04 0C 30 0A 06 08 2B 06 01 05 
001A0: 05 07 03 02 30 0A 06 08 2A 85 03 07 01 01 03 02 
001B0: 03 41 00 1C 2D 35 22 BA 11 02 D6 20 1F 23 50 C1 
001С0: CA B4 ЗА СО 1A FB 0F 34 51 BD C2 DB 18 8B ВС B7 
001D0: 78 84 25 1C DF 60 37 ВА 83 ОҒ АВ 31 D5 Е9 6F DC 
001E0: 9B C1 C9 БА BE 65 82 66 C4 84 02 Ед 70 DE ТЕ 29 


DELLI ы т леене CAST c LA 


PMS value: 
00000: А5 57 6C Е7 92 АА 24 F5 81 13 80 8D BD 9E F8 56 
00010: F5 BD C3 B1 83 CE 5D AD CA 36 A5 ЗА А0 77 65 1D 


Random d eph value: 

0x150ACD11B66DD695AD18418FA7A2DC63 
6B7E29DCA24536AABC826EE3175BB1FA 
DC3AA0D01D3092E120BO0FCF7EB872F4B 
7E26EA17849D689222A48CF95A6E4831 


0 ерһ ephemeral key: 
X з 0xC941BE5193189B476D5A0334114A3E04 
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BBE5B37C738AE40F150B334135288664 
FEBFC5622818894A07B1F7AD60E28480 
B4B637B90EA7D4BA980186B605D75BC6 


у з 0хАТ154Е7В93Е8148652011Е4Ер52С9А06А 
6471ADB28D0A949AE26BC786DE874153 
ABC00B35164F3214A8A83C00ECE27831 
B093528456234EFE766224FC2A7E9ABE 


НАЗНИ( ст თი 5). 


00000: C3 EF 04 28 04 B7 АТ Е4 C5 02 5F 2E 65 DD 2B 2E 
00010: A5 83 AE EF DB 67 C7 Е4 21 АА 6A 29 8E 99 ЕЗ 25 


Export key generation. 
OxC3EF0428DA4B7A1FA4C5025F2bE65DD2B2E 


r value: 


Export key generation. UKM value: 
OxC3EF0428D4B7A1F4C5025F2E65DD2B2E 


Export keys K. Exp. MAC 


00000: 7D AC 56 
00010: 45 0C CC 
00020: 1F 1C BA 
00030: 60 9D 5F 


ques 
00000: 21 4A 6A 


PMSEXP: 

00000: 25 @D 1B 
00010: СВ 94 5Е 
00020: 73 41 А9 


ClientKeyExchange 

msg_type: 

length: 

body: 
exchange_keys: 


00000: 10 00 00 
00010: 04 ОЗ Ғб 
00020: 50 0C ЕЗ 
00030: ВА 71 89 
00040: 2А 85 03 
00050: 01 02 01 
00060: 81 84 00 
00070: A7 ӨЕ B9 
00080: 18 28 62 
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Е4 
C4 
D8 
46 


| 
8A 


C6 
86 
A5 


K Exp.ENC used in KExp15 algorithm: 
4D C1 70 FA А8 ЕС BA Е2 0D B8 45 
32 8B DC 8D 01 15 7C EF A2 A5 F1 
61 66 F0 1F FA AB 01 52 E2 4B F4 
C8 99 C7 87 90 0D 08 B9 FC AD 24 


99 ЕЗ 25 


70 AB 04 D3 F6 54 18 ЕТ D3 80 ВА 
CA 51 50 0C F3 A1 BE F3 7F 76 CO 
CF 6C BA 71 89 DA 61 EB 67 17 6C 


message: 


E2 
54 
A1 
DA 
07 
02 
04 
37 
C5 


30 
18 
ВЕ 
61 
81 
83 
81 
B6 
BF 


10 
0000E2 


3081DF0430250D1B67A270AB04D3F654 
18E1D380BACB945F0A3DCA51500CF3A1 
BEF37F76C07341A9839CCF6CBA7189DA 


93B03178E2EC003CA8A814324F16350B 
C0AB534187DE86C76BE29A940A8DB2AD 
71646AA0C952FDF411206548813EB9F7 
54А1 


81 DF 04 30 25 0D 1B 67 A2 70 AB 
E1 D3 80 B4 CB 94 5F 0A 3D CA 51 
ЕЗ УР 76 СӨ 73 41 A9 83 9C CF 6C 
EB 67 17 6C 30 81 AA 30 21 06 08 
01 01 02 30 15 06 09 2A 85 03 07 
06 08 2A 85 03 07 01 01 02 03 03 
80 C6 5B D7 05 B6 86 01 98 BA D4 
B4 80 84 E2 60 AD F7 B1 07 АА 89 
FE 64 86 28 35 41 33 ОВ 15 OF E4 
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00090: 
000A0: 
000B0: 
000С0: 
80806: 
000Е0: 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment 


8A 73 
18 93 
23 56 
АЕ 16 
0A 8D 
81 3E 


7C 
51 
84 
35 
B2 
B9 


PMSEXP extracted: 


00000: 
00010: 
00020: 


HASH(r_c 
00000: 
00010: 


25 00 
СВ 94 
73 41 


1В 
БЕ 
А9 


lim SE 


C3 EF 
A5 83 


04 
AE 


B3 
BE 
52 
OB 
AD 
E7 


28 
ЕР 


Е5 
41 
93 
са 
71 
54 


Export key generation. 
@xC3EF0428D4B7A1F4C5025F2E65DD2B2E 
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BB 04 ЗЕ АА 11 34 03 5A 6D 47 9B 
C9 BE 9A 7E 2A FC 24 62 76 FE 4E 
Вд 31 78 Е2 EC 00 3C А8 А8 14 32 
AB 53 41 87 DE 86 C7 6B E2 9A 94 
64 6A Ад C9 52 FD Е4 11 20 65 48 
Al 


16 


83 

83 

00Е6 
100000E23081DF0430250D1B67A270AB 
04D3F65418E1D380BACB945F0A3DCA51 
500CF3A1BEF37F76C07341A9839CCF6C 


2356845293B03178E2EC003CA8A81432 
4F16350BC0AB534187DE86C76BE29A94 
0A8DB2AD71646AA0C952FDF411206548 
813EB9F754A1 


10 00 00 Е2 30 81 DF 04 30 25 0D 
04 D3 F6 54 18 Е1 03 80 84 СВ 94 
50 0С ЕЗ АТ ВЕ ҒЗ 7Ғ 76 С0 73 41 
ВА 71 89 DA 61 EB 67 17 6C 30 81 
2А 85 03 07 01 01 01 02 30 15 06 
01 02 01 02 03 06 08 2А 85 03 07 
81 84 00 04 81 80 С6 5B D7 05 В6 
A7 ӨЕ B9 37 B6 ВА 80 84 Е2 60 AD 
18 28 62 С5 ВЕ РЕ 64 86 28 35 41 
ЗА 73 7С ВЗ Е5 ВВ 04 ЗЕ АА 11 34 
18 93 51 ВЕ 41 С9 ВЕ 9А 7Е 2А ЕС 
23 56 84 52 93 80 31 78 Е2 ЕС 00 
АЕ 16 35 0B СӨ АВ 53 41 87 DE 86 
0A 8D B2 AD 71 64 6A Ад C9 52 FD 
81 ЗЕ B9 F7 54 А1 


B7 А1 F4 C5 02 БР 2E 65 DD 2B 2E 
67 C7 F4 21 ДА бА 29 ВЕ 99 ЕЗ 25 


r value: 


Export key generation. UKM value: 
OxC3EF0428D4B7A1F4C5025F2E65DD2B2E 


Export keys K. Exp. MAC 
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4D C1 70 FA A8 FC BA Е2 0D B8 45 
32 8B DC 8D 01 15 7C EF A2 A5 F1 
61 66 F0 1F FA AB 01 52 E2 4B F4 
C8 99 C7 87 90 Өр 08 B9 FC AD 24 


99 ЕЗ 25 


4A 24 F5 81 13 80 8D BD 9E F8 56 
CE 5D AD CA 36 A5 ЗА Ад 77 65 1D 


Random value k used in signature generation: 
0x163962EEA268203E7C6B3F70BF8D4A36 
3ACE6E2CFC424687951D70ACE0B4292A 


Signature value sgn_c = SIGN. d. с (НМ): 

F7 1F 43 62 45 5B C5 5B A8 9A 8F AF 01 82 88 EC 
00 ВЗ 27 17 48 2E 76 24 B2 57 09 79 7C 8F F6 02 
ЕЗ 15 FD BD 8D E5 6D 08 54 18 04 0E 1B 61 BB F6 
B3 01 AC 26 3D 50 03 8B 30 31 13 DB 36 17 50 3A 


00000: 
00010: 
00020: 
00030: 


CertificateVerify message: 


msg. type: 
length: 
body: 


algorithm: 


hash: 


signature: 


signature: 


lengt 
vecto 


00000: 
00010: 
00020: 
00030: 
00040: 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


he 
ге 


ӨР 
А8 
В2 
54 
30 
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00 
9A 
57 
18 
3i 


00 44 
8F AF 
D9 79 
04 ӨЕ 
13 DB 


08 
01 
7C 
1B 
36 


ӨР 
800844 


88 
40 


0040 

F71F4362455BC55BA89A8FAF018288EC 
00B32717482E7624B257D9797C8FF602 
E315FDBD8DE56D085418040E1B61BBF6 
B301AC263D50038B303113DB3617503A 


40 00 40 F7 1F 43 62 45 5B C5 5B 


82 88 EC 00 ВЗ 27 17 48 2E 76 24 
8F F6 02 ЕЗ 15 FD BD 8D Е 6D 08 
61 BB F6 B3 01 AC 26 3D 50 03 8B 
17 50 3A 


0F00004408400040F71F4362455BC55B 
A89A8FAF018288bEC00B32717482bE7624 
B257D9797C8FF602E315FDBD8DE56D08 
5418040E1B61BBF6B301AC263D50038B 
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емс ааа степе ааа 


HASH(HM) : 
00000: 
00010: 


М5: 

00000: 
00010: 
00020: 


GOST Cipher Suites for TLS 1.2 


303113DB3617503A 


00 48 ӨЕ 00 00 44 08 
С5 58 А8 9А 8Р АҒ 01 
76 24 В2 57 09 79 7С 
60 08 54 18 04 ӨЕ 1В 
03 88 30 31 13 DB 36 


08 В2 54 6В 87 05 СС 
05 04 5С Ад 44 85 01 


В0 ЕС 7Ғ ЗВ С9 ДА 8В 
34 78 56 31 С0 АВ АЕ 
OF 6C 9D Е1 70 74 58 


Client connection key material 


K_write_MAC|K_read ეხა ЩЕ write_ENC|K_read_ENC|IV_write|IV_read: 


00000: 
00010: 
00020: 
00030: 
00040: 
00050: 
00060: 
00070: 
00080: 


шік ілік ців ашына ы ашышы ш SEVE аа 


HASH(HM) : 
00000: 
00010: 


М5: 

00000: 
00010: 
00020: 


50 
СЕ 
6с 
9Е 
7В 
сс 
76 
А4 
CB 


52 
1F 
74 
B3 
97 
15 
6C 
51 
8E 


5D 
CB 
35 
23 
20 
Е2 
77 
40 
Ғ9 


Server connection 


K_read_MAC|K_write_MAC | K_read_ENC|K_write_ENC|IV_read|IV_write: 


00000: 
00010: 
00020: 
00030: 
00040: 
00050: 
00060: 
00070: 
00080: 


50 
СЕ 
6с 
9Е 
7В 
сс 
76 
А4 
CB 
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52 
1F 
74 
B3 
97 
15 
6C 
51 
8E 


5D 
CB 
35 
23 
20 
F2 
JE 
40 
F9 


33 Е7 80 6С ТР Ер 
3D 33 ӨЭ БОЛ >) TAG 
22 OA А1 BO Сб DE бА 
86 62 25 Ед 7F 30 4C 
5D 7A 08 C2 CD 7F 60 
84 0D 9A EC 63 F0 2A 
2B 83 2F CE 58 CB 4D 
B2 ED 52 6E 61 65 0A 
4C 5B DF 5B 9F 47 48 


D8 B2 54 6B 87 05 CC 
05 D4 5C А0 44 85 01 


В0 ЕС 7Ғ ЗВ С9 ДА 8В 
34 78 56 31 С0 АВ АЕ 
OF 6C 9D Е1 70 74 58 


key material 


33 4E F7 00 6C 1D ED 
3033-65-92.) ТС 
22 ӨА А1 80 C6 DE 6A 
86 62 25 Ед 7F 30 4C 
5D 7A 08 C2 CD 7F 60 
84 0D 9A EC 63 F0 2A 
2B 83 2F CE 58 CB 4D 
B2 ED 52 6E 61 65 0A 
4C 5B DF 5B 9F 47 48 


40 00 
82 88 
8F F6 
61 BB 
17 50 


B8 B8 
теза 
18 ӨЕ 
Al D1 
3C 09 
FF 51 
E5 49 
28 1B 
В9 5B 


B8 B8 
7C 31 
1B ӨЕ 
A1 D1 
3C 09 
ЕЕ 51 
E5 49 
28 1B 
B9 5B 
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08 
4E 


88 
4E 


EA 
DD 
29 
75 
75 
D5 
77 
56 
В0 


ЕА 
рр 
29 
75 
75 
05 
7/7 
56 
ва 


83 
97 
B6 
86 
E6 
74 
A6 
35 
Ед 


83 
97 
B6 
86 
E6 
74 
A6 
35 
Ед 


сс 
90 
17 
29 
C4 
D2 
7A 
BC 
BF 


сс 
90 
17 
29 
C4 
D2 
7A 
BC 
BF 
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ChangeCipherSpec message: 


type: 
00000: 01 
Record layer message: 
type: 
version: 

major: 

minor: 
length: 
fragment: 
80008: 14 03 03 00 
HASH(HM) : 
80008: С9 А4 80 РА 
80018: ЕА 67 78 В7 
client_verify_data: 
80008: 98 7С 13 E6 
80018: 32 90 09 4С 


Finished message: 

msg_type: 

length: 

body: 
verify_data: 


00000: 14 00 00 20 
00010: 299550072727 
00020: 2UESS5SEOSSE 
Record layer message: 
type: 
version: 

major: 

minor: 
length: 
fragment: 
00000: 16 03 03 00 
00010: DB DE 98 9C 
00020: 8F 99 89 FB 
00030: 12 EA F6 28 
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01 


98 
32 


01 


6C DD 12 3E 9A EB 26 88 8B 86 19 
FA A8 B2 DC 70 6A CB A5 AB AF 11 


16 F3 D5 10 AE 83 00 23 58 72 27 
C7 B5 F0 C7 D7 47 C4 27 35 F8 F1 


14 
000020 


987C13E6FA16F3D510AE830023587227 
3290094C8FC7B5F0C7D747C42735F8F1 


7C 13 Еб ҒА 16 ЕЗ 05 10 AE 83 00 
90 09 4C 8F C7 B5 F0 C7 D7 47 C4 


16 


03 

03 

0034 
4DC53D655EDFD1843AF69ADBDE989COB 
1F0COA1AO0FD1B3F458029D8F9989FBF9 
6C5C42971063A9B70714F412EA4F6280F 
7C21601B 


34 40 C5 3D 65 5E DF D1 84 ЗА F6 9A 


OB 
F9 
ӨР 


ТЕ ӨС 0A ЛА ӨР рт ВЗ F4 58 02 90 
6С 5C 42 97 10 63 А9 B7 07 14 F4 
7С 21 60 1В 
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35 = 202 AH onanan 599 X> > Зепмег---- cL с=с == >>> 
ChangeCipherSpec message: 
type: 81 
00000: 01 
Record layer message: 
type: 14 
version: 
major: 03 
тіпог: 03 
length: 80801 
fragment: 81 
00000: 14 03 03 00 01 01 
шаі SS усу а тый изу белмерсеге таа 
HASH(HM) : 
00000: 4A 41 4С AD 20 F8 46 D8 F5 D1 05 26 10 А5 9D ED 
00010: 60 2B 1B B2 А8 9E 13 51 01 FC 9E 49 ED АВ ОҒ B4 


server, verify дата: 


00000: ТЕ 93 7D А4 77 EE ქ 23 ФА 41 рб Е9 D4 14 46 B7 
00010: F2 1C АТ B2 E2 32 ДА 55 2D 52 ВЗ 25 БЕ ВА 3D DF 

а a i 22-2---2. бепуегг---2---2----2---2.....2-2-- 
Finished message: 

msg_type: 14 

length: 000020 

роду: 


1E937DA477EE1F230A41D6E9D41446B7 
F21CA1B2E2324A552D52B3255EB43DDF 


verify_data: 


00000: 14 00 00 20 1E 93 7D А4 77 ЕЕ ТЕ 23 0A 41 D6 Е9 
00010: 04 14 46 В7 Е2 1С АТ B2 Е2 32 АА 55 2D 52 ВЗ 25 
00020: БЕ В4 3D DF 
Record layer message: 
type: 16 
version: 
major: 93 
тіпог: 03 
length: 0034 
fragment: F9887C3654B6CCC6AE7D7B18A46C663F 
3D1DAF30C9A853A9871077FDD5CA063B 
2C81BCC9D59FA6E3F 5FAD9B2599BB586 
854A2D76 
00000: 16 03 03 00 34 F9 88 7C 36 54 B6 CC C6 AE 7D 7B 
00010: 18 A4 6C 66 ЗЕ 3D 1D AF 30 C9 A8 53 A9 87 10 77 
00020: FD D5 CA 06 3B 2C 81 BC C9 D5 9F A6 E3 F5 FA D9 
00030: B2 59 9B B5 86 85 4A 2D 76 
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Application data: 
80008: 00 00 00 00 
00010: 00 00 00 00 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 17 83 03 00 
00010: 90 Е7 А5 52 
00020: 72 88 Ғ6 3D 
00030: ВА 87 50 49 


Application data: 
80008: РЕ FF ЕЕ FF 
80018: КЕ LC LL РР 


Record layer message: 
type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 17 83 03 00 
00010: 18 ЕЗ CD СВ 
00020: F1 ЗВ 47 CD 
00030: D5 84 1A B1 


close. notify alert: 
Alert: 
level: 
description: 


00000: 01 00 


Record layer message: 
type: 
version: 

major: 
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00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 


17 


83 

83 

0030 
F14F06FB8557408846080690E7A5525D 
1C6E9C901D24025486AB79728BF63D06 
5C09C27233006D65CFF0B5BA87504969 


30 F1 АҒ 06 FB 85 57 40 88 46 08 06 
5D 1C 6E 9C 90 1D 24 02 54 86 АВ 79 
06 5C 09 C2 72 33 00 6D 65 CF FO B5 


FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF 


127 


03 

03 

0030 
1561E52A8B6DB258746FFE18F3CDCB11 
1D0173AF2E5C13741C99BFF13B47CD32 
B3CED856A9506E706A2340D5841AB114 


30 15 61 E5 2A 8B 6D B2 58 74 6F FE 
11 1D 01 73 AF 2E 5C 13 74 1C 99 BF 
32 B3 CE D8 56 A9 50 6E 70 6A 23 40 
14 


Бебе Сей === 
01 
00 
1:5 
03 
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minor: 03 
length: 8012 
fragment: E530C164642A078CEF528CB465E9DA7E 
AD4D 


00000: 15 03 03 00 12 E5 30 C1 64 64 2A 07 8С EF 52 8С 
00010: В4 65 Е9 DA 7Е AD 4D 


а ее ea 
close_notify alert: 
Alert: 
level: 81 
description: 90 
00000: 01 00 
Record layer message: 
type: 15 
version: 
major: 93 
тіпог: 03 
length: 8012 
Тгадтепі: ЕВ6б2Е5АВ78ВЕ2А4В678920А11027ЕС43 
ӨСЗЕ 


00000: 15 03 03 00 12 ЕВ 62 Е5 АВ 78 BF 2A 4B 67 89 20 
00010: A1 10 27 ЕС 43 0C ЗЕ 
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A.2. Test Examples for CNT_IMIT Cipher Suites 
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A.2.1. Record Examples 


It is assumed that the following keys were established 
during handshake: 


- MAC key: 

00000: DP ЗА LL LI II II II IPIE II. IL II II Ба 
80018: 11 IL РА + У Р XL +4I IER АР ри ДА А Б IPP OUI агаар 
- Encryption key: 

00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


00000: 00 00 00 00 00 00 00 00 


seqnum = 0 


Application data: 
00000: 00 00 00 00 00 00 00 


Plaintext: 
00000: 17 03 03 00 07 00 00 00 00 00 00 00 


МАС: 
00000: 30 01 34 а1 


Ciphertext: 
80008: 17 03 03 00 0b 86 71 cd bf Зс Та ae 0f 62 4b 04 


seqnum - 1 
Application data: 


00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 


007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Plaintext: 

00000: 17 өз 03 өв 00 өө 00 00 00 00 00 OO OO OO ва 00 
00010: 00 00 00 00 00 өө 00 00 00 00 00 OO OO OO да 00 


00760: 00 00 00 00 00 00 00 00 00 00 OO OO OO OO 00 00 
00804: 00 өө 00 00 00 


МАС: 
00000: Т7 c3 8b 8а 


Ciphertext: 
00000: 17 03 03 08 04 cf аа Өс 54 2f a5 a4 7a 13 За 73 
00010: 59 f2 с0 Һ0 АТ 8c a2 55 52 Ғ8 56 bc be ба 58 Ға 


00780: Зе е2 c7 6f a2 30 ай 44 be 21 dc 8e Та 96 f9 a8 
00804: 88 1f ad 83 45 96 96 84 47 
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A.2.2. Handshake Examples 


The ClientHello.extensions and the ServerHello.extensions fields contain the renegotiation_info 
extension (see [RFC5746]) in the following examples. 
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Server certificate curve OID: 
id-tc26-gost-3410-12-512-paramSetA, "1.2.643.7.1.2.1.2.1" 


Server public key 0 6: 

X = 0x16DB0566C0278AC8204143994824236D 
97F36A13D5433E990B2bEAC859D2E9B7A 
E054794655389158B8242923E3841B14 
24FD89F221701C89D9A3BF6A9F946795 


у = 0хр01Е80рЕС58023С8ВС6В85Е12ВВВ1635 
A5AE7AD50DE24FB8FD02CB285A4AE65A 
7D6FBB99AAFFDA80629826F2F7F73282 
220444761615A06D082077C4A00FDACF 


Server private key d.s: 

@x5F1E83AFA2C4CB2C5633C51380E84E37 
4B013EE7C238330709080CE914B442D4 
34EB016D23FB63FEDC18B62D9DA93D26 
B3B9CE6F663B383303BD5930ED41608B 


т re > 35 =2-25-5--C>-=->-> Clienti ee >>> cL CILE 
ClientHello message: 
msg_type: 81 
length: 00003a 
body: 
client. version: 
major: 03 
minor: 03 
random: 6A523D6880DCC2DC75CCCA3CFD04B616 


F5C3757B8077B76A9B504949FD3BFDB8 
session. id: 


length: 00 
vector: == 
cipher_suites: 
length: 0002 
vector: 
CipherSuite: C102 
compression_methods: 
length: 81 
vector: 
CompressionMethod: 00 
extensions: 
length: 000F 


Extension: /* signature_algorithms */ 
extension. type:  000D 
extension. data: 


length: 0006 
vector: 
supported. signature. algorithms: 
length: 0004 
vector: 
/* 1 pair of algorithms */ 
hash: 08 
signature: 
41 
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/* 2 pair of algorithms */ 
hash: 88 
signature: 
40 
Extension: /% renegotiation_info */ 
extension type: FF@1 
extension. data: 
length: 0001 
vector: 
renegotiated. connection: 
length: 00 
vector: == 
00000: 01 00 00 ЗА 03 03 6A 52 3D 68 80 DC C2 DC 75 СС 
00010: C4 ЗС FD 04 В6 16 F5 C3 75 7B 80 77 В7 6A 9В 50 
00020: 49 49 Ер ЗВ Ер В8 00 00 02 С1 02 01 00 00 ОҒ 00 
00030: 80 00 06 00 04 08 41 08 40 ЕЕ 01 00 01 00 
Record layer message: 
type: 16 
version: 
major: 93 
тіпог: 83 
length: 003e 
fragment: 0100003A03036A523D6880DCC2DC75CC 
CA3CFD04B616F5C3757B8077B76A9B50 
4949FD3BFDB8000002C1020100000F00 
0D0006000408410840FF01000100 
00000 16 03 03 00 3E 01 00 00 3A 03 03 6A 52 3D 68 80 
00010 DC C2 DC 75 CC C4 3C FD 04 B6 16 F5 C3 75 7B 80 
00020 77 B7 6A 9B 50 49 49 FD 3B FD B8 00 00 02 C1 02 
00030 01 00 00 ӨЕ 00 Өр 00 06 00 04 08 41 08 40 FF 01 
00040 00 01 00 
Hode hanen cte сете сы а се Server === 
ServerHello message: 
msg_type: 02 
length: 000040 
роду: 
client_version: 
major: 03 
тіпог: 83 
гапдот: FE92C9516D0E1A67A04C33CD7F2C90B1 


5E76DCC30815C19F92A6D100915AF2DB 


session. id: 
length: 20 
vector: 12AAA5E5779014711CCD6D265BDEE519 


1026431C83768EE5EB5A157F940BE9FB 


сїрїїег suite: 


CipherSuite: C102 


compression. method: 


CompressionMethod: 00 


extensions: 
length: 0005 


Extension: /* renegotiation info */ 
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extension_type: 
extension_data: 


length: 
vector: 
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ЕЕ@1 


0001 


renegotiated_connection: 


length: 
vector: 


00000: 02 00 00 4D 
00010: 33 CD 7F 2C 
00020: 01 00 91 5A 
00030: CD 60 26 58 
00040: БА 15 7Ғ 94 
00050: 00 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


Certificate message: 
msg_type: 
length: 
body: 
certificate_list: 
length: 
vector: 
ASN.1Cert: 
length: 
vector: 


83 
90 
Е2 
ОЕ 
OB 


83 FE 92 C9 51 6D OE 1A 67 Ад 4C 
B1 5E 76 DC C3 08 15 C1 9F 92 A6 
DB 20 12 AA A5 E5 77 90 14 71 1C 
E5 19 10 26 43 IC 83 76 ВЕ Е5 EB 
Е9 ЕВ CI 02 0000 85 EE ӨЛ 80 01 


16 


03 

03 

0051 
0200004D0303FE92C9516D0E1A67A04C 
33CD7F2C90B15E76DCC30815C19F92A6 
D100915AF2DB2012AAA5E5779014711C 
CD6D265BDEE5191026431C83768EE5EB 
5A157F940BE9FBC102000005FF010001 
00 


02 00 00 40 03 03 FE 92 C9 51 6D 


33 CD 7F 2C 90 B1 5E 76 DC C3 08 


01 00 91 5А F2 DB 20 12 АА A5 ES 


CD 6D 26 5B DE E5 19 10 26 43 1C 


5A 15 7F 94 0B Е9 FB C1 02 00 00 
00 


OB 
000266 


000263 


000260 

3082025C308201C8A003020102021478 
94DC9D920977809191642F1DAEDC26BA 
3B5104300A06082A8503070101030330 


6C12D51F99C98A4A9904F0EA5486FED7 
FF66AB8EB2425E1ACEAE8A758BDF843B 
E1A8F6FEBF673015FED7AB86533DBF20 


00000: 0B 00 02 66 00 02 63 00 02 60 30 82 02 5С 30 82 
00010: 01 C8 Ад 03 02 01 02 02 14 78 94 DC 9D 92 09 77 
00020: 80 91 91 64 2F 1D АЕ DC 26 BA ЗВ 51 04 30 ВА 06 
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00030: 08 2А 85 03 
00040: 03 55 04 03 
00050: 63 61 74 65 
00060: за: за: 31 31 
00070: 30 32 31 БА 
00080: 16953265472 
00090: 69 66 69 63 
000а0: 03 07 01 01 
00050: 01 02 01 06 
000с0: 00 04 81 80 
00000: Ғ2 89 Ер 24 
000е0: 46 79 54 Ед 
80018: 13 6А ЕЗ 97 
00100: 66 05 ОВ 16 
00110: 76 44 04 22 
00120: 99 BB 6F 7D 
00130: D5 7А АЕ А5 
00140: DE 80 ЛЕ ре 
00150: 13201 01 ЕЕ 
00160: 13 30 11 82 
00170: 7Е 00 00 01 
00180: 08 28 06 01 
00190: 01 01 FF 04 
001а0: ӨЕ 04 16 04 
00150: 57 57 2В ОҒ 
001с0: 04 18 30 16 
00140: 48 3B С6 39 
001e0: 03 07 01 01 
00118: 54 8А 25 6р 
00200: ნ 2. 798 I) 
00218: 82 83 ЕЕ РА 
00220: ЕВ F@ AD ЕЭ 
00230: ЕС 99 С7 CD 
00240: ЗА 4А 99 04 
00250: БЕ ТА СЕ АЕ 
00260: 30 15 FE D7 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


00000: 16 03 03 02 
00010: 82 02 5С 30 
00020: рс 9р 92 09 
00030: 51 04 30 0A 
00040: 38. 1 30 ТЕ 
00050: 72 74 69 66 
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07 
13 
30 
5A 
30 
76 
61 
01 
08 
95 
14 
ТА 
6р 
СЕ 
82 
ЗА 
35 
АЗ 
84 
89 
30 
85 
85 
14 
ВЕ 
80 
р9 
83 
2А 
ЗА 
B4 
36 
23 
Ғ0 
ЗА 
АВ 


6A 
82 
77 
86 
86 
69 
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შე 0) 03 93 за '9 ვს. II 30-15 06 
ӨЕ 43 41 20 43 65 72 74 69 66 69 
TE По харе 3: 38-30 3 30 3> 30 30 
1---00:32 32 за 31 30432 за: за за 
21 31 ТЕ 30 1D 06 03 55 04 03 13 
65 72 20 35 31 32 20 43 65 72 74 
74 65 30 81 АА 30 21 06 08 2А 85 
02 30 15 06 09 2А 85 03 07 01 02 
2А 85 03 07 01 01 02 03 03 81 84 
67 94 9F 6A BF АЗ D9 89 1C 70 21 
1В 84 ЕЗ 23 29 24 В8 58 91 38 55 
9B 2Е 9D 85 АС 2E ӨВ 99 ЗЕ 43 D5 
23 24 48 99 43 41 20 С8 8А 27 СӨ 
D4 OF Ад C4 77 20 08 6D Ад 15 16 
32 Е7 Е7 Е2 26 98 62 80 DA FF АА 
Е6 4A 5A 28 СВ 02 FD В8 АР Е2 Өр 
16 BB 2B F1 85 6B ВС C8 23 BD C5 
81 93 30 81 90 30 OC 06 03 55 1D 
82 30 00 30 ТА 06 03 55 1D 11 04 
6С 6F 63 61 6C 68 6F 73 74 87 04 
13 06 03 55 10 25 04 0С 30 ӨА 06 
05 07 03 01 30 ОҒ 06 03 55 10 ОҒ 
03 03 07 BO 00 30 1D 06 03 55 1D 
АЕ 46 41 1B FD ВЗ 08 C3 39 03 47 
АЗ 6F 9A 99 30 ТЕ 06 03 55 1D 23 
14 7Е 7В 7А 15 61 А6 Ғ2 18 А2 ЕЗ 
7Е 42 ОВ 60 АҒ 30 ӨА 06 08 2А 85 
03 03 81 81 00 9С 49 78 F7 1B АВ 
18 7C АВ 4D 72 4F ЕТ EF A7 Е5 36 
ӨС Вб 74 ЛЕ ВТ 63 E2 96 37 8C 5B 
1B A4 22 ТЕ BC E2 05 F6 F8 79 CF 
07 ӨР B2 40 E5 Ор 04 37 03 7F 2A 
9F 6F 20 25 А8 6C 12 05 ТЕ 99 C9 
EA 54 86 FE D7 FF 66 AB 8E B2 42 
75 8B DF 84 3B E1 A8 F6 FE BF 67 
86 53 3D BF 20 


16 


03 

03 

026A 
0B0002660002630002603082025C3082 
01C8A00302010202147894DC9D920977 
809191642F1DAEDC26BA3B5104300A06 


EC99C7CD239F6F2025A86C12D51F99C9 
8A4A9904F0EA5486FED7FF66AB8EB242 
5ET1ACEAE8A758BDF843BE1A8F6FEBF67 
3015FED7AB86533DBF20 


0B 00 02 66 00 02 63 00 02 60 30 
01 C8 Ад 03 02 01 02 02 14 78 94 
80 91 91 64 2F 1D AE DC 26 BA 3B 
08 2A 85 03 07 01 01 03 03 30 19 
03 55 04 ӨЗ 13 ӨЕ 43 41 20 43 65 
63 61 74 65 30 1E 17 0D 31 38 30 
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00060 31 30 32 30 30 30 30 31 31 
00070 30 32 30 30 30 30 32 31 5A 
00080 03 55 04 03 13 16 53 65 72 
00090 20 43 65 72 74 69 66 69 63 
00080 21 06 08 2А 85 03 07 01 01 
00050 85 03 07 01 02 01 02 01 06 
000с0 02 03 03 81 84 00 04 81 80 
00040 09 89 1С 70 21 Е2 89 FD 24 
000e0 B8 58 91 38 55 46 79 54 ЕВ 
80010 ОВ 99 ЗЕ 43 D5 13 6А F3 97 
00100 20 С8 8А 27 С0 66 05 ОВ 16 
00110 08 60 Ад 15 16 76 44 04 22 
00120 62 80 DA FF АА 99 ВВ 6Ғ 7D 
801380 FD B8 ДЕ E2 Өр 05 7A АЕ А5 
00140 BC C8 23 BD C5 DE 80 1E ре 
00150 0C 06 ӨЗ 55 10 13 01 01 FF 
00160 03 55 1D 11 04 13 30 11 82 
00170 6F 73 74 87 04 7F 00 00 01 
00180 04 0C 30 0A 06 08 2B 06 01 
00190 06 03 55 1D OF 01 01 FF 04 
00180 10 06 03 55 1L 0C 04 16 04 
00159 08 C3 39 03 47 57 57 2B OF 
001с0 06 03 55 10 23 04 18 30 16 
00140 А6 Е2 18 А2 ЕЗ 48 ЗВ С6 39 
001e0 0A 06 08 2A 85 03 07 01 01 
001f0 49 78 F7 1B AB 54 8A 25 6D 
00200 LI == ს. 5536-62-79: ПЕ 
00210 E2 96 37 8С 5B 82 83 ЕЕ DA 
00220 05 F6 F8 79 CF ЕВ F0 AD Е9 
00230 04 37 03 7Е 2A ЕС 99 C7 CD 
00240 12 05 1Е 99 С9 8А АА 99 04 
00250 66 АВ 8E B2 42 БЕ ТА СЕ АЕ 
00260 A8 F6 FE ВЕ 67 30 15 FE D7 
SSS SSS Sosa es სას. აა СУЗ Server 
ServerHelloDone message: 
msg_type: дЕ 
length: 000000 
роду: -- 
00000: OE 00 00 00 
Record layer message:: 
type: 16 
version: 

major: 03 

minor: 03 
length: 0004 
fragment: 0Е000000 
00000: 16 03 ӨЗ 00 04 BE 00 00 00 
рысы шыч ече з ану Client 
PMS: 
00000: 
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5A 
30 
76 
61 
01 
08 
95 
14 
ТА 
6р 
СЕ 


17 
21 
65 
74 
82 
2А 
67 
1В 
9B 
23 
D4 
32 
C6 
16 
81 
82 
6с 
13 
85 
83 
АЕ 
АЗ 
14 
ТЕ 
83 
18 
ас 
1В 
07 
OF 
EA 
75 
86 


р 
31 
72. 
65 
30 
85 
94 
84 
2E 
24 
ӨР 
E7 
4A 
BB 
93 
30 
6Ғ 
86 
87 
83 
46 
6F 
ТЕ 
42 
83 
7С 
B6 
A4 
ӨР 
6Ғ 
54 
8В 
53 
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32 
1F 
28 
38 
15 
03 
9F 
E3 
9D 
48 
AQ 
F7 
5A 
2B 
30 
00 
63 
03 
03 
07 
41 
9A 
7B 
DB 
81 
A8 
74 
22 
B2 
20 
86 
DF 
3D 


CE 0D D6 B6 70 42 12 15 2B E4 69 5A 7E 89 F6 4C 


March 2022 


Page 85 


RFC 9189 GOST Cipher Suites for TLS 1.2 March 2022 


00010: 89 29 А4 0D BF 0A 5A 55 C2 СЕ 00 2B 06 ВА B6 2Ғ 


Random d eph value: 

0xC96486B1A3732389A162F5AD0145D537 
43C9AC27D42ACF1091CE7EF67E6C3CCA 
0F6C879B2DA3C1607648BAEB96471BD2 
078DF5CAAAAFA83ECCOFFD6D3C8E5D56 


0 ерһ ephemeral key: 

х з 0x4B9CB381BCC737E493E43B2D7FD95BFE 
2AEF6BE8F6224882E5E559ADA08170DC 
494815B3A1B3B323D2B50195153CFC60 
DD6139C3770C576246A7719FABF84BFB 


у = 0x95CEF28392C846AS5EEFCB51C84E4960A 
77B77D0D85EBD22061BFDA0013C5AB6C 
42DDD04973F65D2AEB8A5427A53D6872 
CF2D68F5F722C4640D7AAF2E0194FBDO 


HASH(r_c | г.в): 
00000: FB F3 9D 10 E8 00 AF 70 E7 AA 22 C1 10 DA 94 A9 
00010: 9A 58 98 D8 45 27 C7 CB DE C1 1E 53 39 90 6A 1A 


K EXP: 
00000: 3F D9 99 D1 68 4A 15 CC 9B DD 5A 35 06 7A F6 98 
00010: 17 15 00 22 Ед 95 54 АС 79 1A 60 F1 61 F5 53 49 


ТМ 
00000: ЕВ ЕЗ 9D 10 E8 00 АҒ 70 


СЕК ЕМС: 
00000: 06 22 01 67 A5 64 2Е 29 52 БА 29 5С B9 Ғ2 ВЕ 96 
00010: F2 8B OE ҒА А7 D3 A2 ВЕ ЕТ 49 В 11 78 C2 DF 05 


СЕК МАС: 
00000: 4С 93 36 57 


PMSEXP: 

00000: FB F3 9D 10 E8 00 AF 70 06 22 D1 67 A5 64 2Е 29 
00010: 52 БА 29 БС B9 F2 ЗЕ 96 F2 8B ВЕ ҒА А7 D3 A2 ВЕ 
00020: E1 49 Вд 11 78 C2 DF D5 4C 93 36 57 


вени нн нан з» (Went EE 
ClientKeyExchange message: 
msg. type: 10 
length: 0000F5 
body: 
exchange. keys: 3081F23081EF30280420D622D167A564 


2bE29525A295CB9F28F96F28B0EFAA7D3 
A2BEE149B01178C2DFD504044C933657 


DABF6120D2EB850D7DB7770A96E4841C 
B5FCEEA546C89283F2CE950408FBF39D 
10E800AF70 


00000: 10 00 00 F5 30 81 F2 30 81 EF 30 28 04 20 D6 22 
00010: 01 67 A5 64 2E 29 52 5A 29 5C B9 F2 8F 96 F2 8B 
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00020: 
00030: 
00040: 
00050: 
00060: 
00070: 
00080: 
00090: 
000A0: 
000890: 
000С0: 
80806: 
000Е0: 
000Ғ0: 


Record layer message: 


type: 
version: 
major: 
minor: 
length: 
fragment: 


дЕ 
4С 
81 
82 
2А 
4В 
ҒС 
70 
58 
ЕВ 
68 
АВ 
96 
08 


ҒА 
93 
01 
30 
85 
F8 
3C 
81 
09 
94 
3D 
C5 
E4 
FB 


A7 
36 
AQ 
15 
83 
АВ 
15 
Ад 
ТЕ 
81 
А5 
13 
84 
ЕЗ 


рз 
57 
81 
06 
07 
OF 
95 
AD 
2D 
2E 
27 
80 
1С 
9р 


А2 
Ад 
АА 
09 
01 
71 
01 
59 
3B 
AF 
54 
DA 
BS 
10 
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ВЕ ЕТ 49 BO 11 78 C2 DF 05 04 04 
81 C2 06 09 2A 85 03 07 01 02 05 
30 21 06 08 2А 85 03 07 01 01 01 
2А 85 03 07 01 02 01 02 01 06 08 
01 02 03 03 81 84 00 04 81 80 ЕВ 
A7 A6 62 57 0C 77 C3 39 61 DD 60 
B5 D2 23 B3 B3 АТ ВЗ 15 АЗ 49 DC 
E5 E5 82 48 22 F6 E8 6B EF 2A FE 
Е4 93 Е4 37 C7 ВС 81 ВЗ 9C АВ DO 
7А Өр 64 C4 22 F7 F5 68 2D CF 72 
ЗА EB 2A 5D F6 73 49 00 DD 42 6C 
BF 61 20 D2 EB 85 0D 7D B7 77 0A 
FC EE A5 46 C8 92 83 F2 CE 95 04 
E8 00 AF 70 


16 


03 

03 

00Ғ9 
100000F53081F23081EF30280420D622 
D167A5642E29525A295CB9F28F96F28B 
OEFAA7D3A2BEE149B01178C2DFD50404 


ABC51300DABF6120D2EB850D7DB7770A 
96E4841CB5FCEEA546C89283F2CE9504 
O8FBF39D10E800AF70 


10 00 00 F5 30 81 F2 30 81 EF 30 
01 67 A5 64 2Е 29 52 5A 29 5C B9 
OE FA A7 D3 A2 ВЕ Е1 49 BO 11 78 
4C 93 36 57 A0 81 C2 06 09 2A 85 
01 01 Ад 81 AA 30 21 06 08 2A 85 
02 30 15 06 09 2A 85 03 07 01 02 
2A 85 03 07 01 01 02 03 03 81 84 
4B F8 AB 9F 71 A7 A6 62 57 0C 77 
FC 3C 15 95 01 B5 02 23 ВЗ ВЗ А1 
70 81 Ад AD 59 Е5 Е5 82 48 22 F6 
5B D9 7F 2D ЗВ Е4 93 E4 37 C7 BC 
FB 94 01 2E AF 7A 0D 64 CA 22 F7 
68 3D A5 27 54 8A EB 2A 5D F6 73 
AB C5 13 00 DA BF 61 20 D2 EB 85 
96 Е4 84 1C B5 FC EE A5 46 C8 92 
08 FB F3 9D 10 E8 00 AF 70 


peus ісіні налу ан იიი степаа 


HASH(HM) : 
00000: 
00010: 


М5: 

00000: 
00010: 
00020: 
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64 4D 17 B0 38 36 A6 51 EB 87 69 
18 47 F6 91 91 42 7C 30 009 17 ЗЕ 


B7 84 7E 97 8F D4 C9 АР 52 34 52 
FD E6 28 1C 18 C5 44 63 B1 F9 4C 
41 6D BB ӨЕ 90 A5 7E А4 Е0 6B 50 
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Client connection key material 


K_write_MAC|K_read_MAC | K_write_ENC|K_read_ENC|IV_write|IV_read: 


00000: 
00010: 
00020: 
00030: 
00040: 
00050: 
00060: 
00070: 
00080: 


Бі еті ізін шіт тізі т гісіз Земете 


ЕЗ 
34 
ЕВ 
Ад 
4Е 
90 
АЕ 
2Ғ 
р9 


37 
АВ 
Ад 
CB 
5B 
D2 
18 
EE 
21 


F6 
77 
AC 
ТЕ 
C3 
EA 
26 
9B 
A8 


PMSEXP extracted: 
FB F3 9D 
52 5A 29 
E1 49 BO 


00000: 
00010: 
00020: 


HASH(r_c 
00000: 
00010: 


КЕЕХРО 
00000: 
00010: 


жент ыс ана конку ілін ЕМЕЛ ее сілі ი თაბი ეი тіні 


HASH(HM) : 
00000: 
00010: 


М5: 

00000: 
00010: 
00020: 


122253: 


ЕВ F3 9D 


9A 


3F 
15 


СЕ 
89 


58 


р9 
15 


р 
29 


98 


99 
80 


06 
А4 


Client connection 


К геай МАС | К ига те МАС |K_read_ENC|K_write_ENC|IV_read|IV_write: 


00000: 
00010: 
00020: 
00030: 
00040: 
00050: 


ЕЗ 
34 
ЕВ 
Ад 
4Е 
90 
АЕ 
2Ғ 
р9 


37 
АВ 
Ад 
CB 
5B 
D2 
18 
EE 
21 


F6 
77 
AC 
ТЕ 
C3 
EA 
26 
9B 
A8 


A8 6F F3 1F CA 52 EA 
В5 7F E@ DB 2F С0 C8 
21 32 82 3A 24 96 EF 
AF 6C A7 94 75 АҒ ТЕ 
2D 44 30 AF 58 93 11 
8Е 76 EO 84 07 28 ВА 
7B B6 34 C1 6A 1D 1A 
77 F3 0D 18 D5 54 01 
4B 07 FF 98 AF 8C 82 


10 E8 00 AF 70 D6 22 
5C B9 F2 8F 96 F2 8B 
11 78 C2 DF D5 4C 93 


10 E8 00 AF 70 E7 AA 
D8 45 27 C7 CB DE C1 


D1 68 4A 15 CC 9B DD 
22 Ед 95 54 АС 79 1A 


В6 70 42 12 15 2В Е4 
OD BF 0A 5A 55 C2 СЕ 


EB 17 64 4D 17 BO 38 
D3 EB 18 47 F6 91 91 


C8 BB B7 84 7E 97 8F 
B1 72 FD E6 28 1C 18 
40 05 41 6D ВВ ВЕ 90 


key material 


A8 6F F3 1F CA 52 EA 
B5 7F Ед DB 2F СО СВ 
21 32 82 3A 24 96 EF 
AF 6C A7 94 75 4F 1F 
2D 44 30 AF 58 93 11 
8bE 76 EO 84 07 28 BA 
7B B6 34 C1 6A 1D 1A 
77 F3 0D 18 D5 54 01 
4B 07 FF 98 AF 8C 82 


ChangeCipherSpec message: 
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64 7C 
71 EC 
93 6F 
45 B1 
6A CF 
ЕБЕ? 
С1 24 
2В 43 
38 68 


64 7С 
71 ЕС 
93 6Ғ 
45 B1 
6A СЕ 
ЕБЕ? 


Informational 


DE 
DC 
ӨЕ 
77 
81 
В2 
753 
78 
91 


ОЕ 
рс 
дЕ 
77 
81 
В2 
73 
78 
91 


ЕЗ 
АС 
ВС 
22 
АЗ 
Ғ9 
50 
60 
ЕВ 


ЕЗ 
АС 
ВС 
22 
АЗ 
Ғ9 
50 
60 
ЕВ 


В7 
А5 
ЕЗ 
ОЕ 
ВЕ 
40 
95 
87 
ВА 


В7 
А5 
ЕЗ 
ОЕ 
ВЕ 
40 
95 
87 
ВА 


83 
А8 
ӨЕ 
В4 
ас 
са 
4В 
ӨА 
64 


83 
А8 
дЕ 
В4 
ас 
са 
4В 
ӨА 
64 
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type: 01 
00000: 01 
Record layer message: 
type: 14 
version: 
major: 93 
тіпог: 03 
length: 0001 
fragment: 81 


00000: 14 83 03 00 01 01 


HASH(HM) : 
00000: ЕВ 06 FE EB 17 64 4D 17 BƏ 38 36 Аб 51 ЕВ 87 69 
00010: | ВО EA А2 D3 ЕВ 18 47 F6 91 91 42 7C 30 DƏ 17 ЗЕ 


Finished message: 


msg. type: 14 
length: 00000С 
роду: 
verify. дата: D3EE1DEA725CD7080C744311 


00000: 14 00 00 ВС D3 ЕЕ 10 EA 72 5C 07 08 0C 74 43 11 


Record layer message: 


type: 16 
version: 
major: 03 
minor: 03 
length: 0014 
fragment: 8854A0EDOCCBDAE076FA7D22D7634A8D1 
AF701BBB 


00000: 16 03 03 00 14 88 54 A0 ED 0C CB DA EO 76 FA 7D 
00010: 22 D7 63 А8 D1 AF 70 1B ВВ 


Dice LOCO CHE =9= = 9 == сес Senveb i SS == 
ChangeCipherSpec message: 
type: 01 
00000: 01 
Record layer message: 
type: 14 
version: 
major: 03 
тіпог: 83 
length: 0001 
fragment: 81 


00000: 14 03 03 00 01 01 


Smyshlyaev, et al. Informational Page 89 


RFC 9189 GOST Cipher Suites for TLS 1.2 March 2022 


HASH(HM) : 
00000: 9С ОҒ C4 ЕЗ 32 5B БЕ ВЗ 70 B9 94 2A 71 02 6E FO 
00010: 10 71 08 А5 АТ ВЕ 69 E8 C2 0B 70 СС 90 E9 А9 46 


Finished message: 


msg_type: 14 
length: 00000С 
роду: 
verify data: D6A2A697E9F23DB0F9017A79 


00000: 14 00 00 OC рб A2 Аб 97 Е9 F2 Зр BO F9 01 7A 79 


Record layer message: 


type: 16 
version: 
major: 03 
minor: 03 
length: 0014 
fragment: 7BDDBB3C0A6A4A9E302B468CCD5CF786 
665FFEBC 


00000: 16 03 03 00 14 7B DD BB 3C 0A 6A АА 9E 30 2B 46 
00010: 8C CD 5C F7 86 66 5F FE BC 


Dese зернами іт інілі тісті tic CC ше а сігіс ікті тізі ііі 
Application data: 
00000: 48 45 4C АР 0A 
Record layer message: 
type: 17 
version: 
major: 93 
тіпог: 03 
length: 8089 
fragment: A8951D9389D1AEFE3B 


00000: 17 03 03 00 09 А8 95 10 93 89 D1 AE FE 3B 


SRS SSS лік тіз тістік ігі есе СӨЛ МЕН == ааа 
Application data: 
00000: 48 45 АС АР 0A 
Record layer message: 
type: 157 
version: 
major: 93 
тіпог: 83 
length: 8089 
fragment: @F368E5CEC86B4F8D7 
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00000: 17 03 03 00 09 ОҒ 36 8Е 5С ЕС 86 B4 F8 D7 


-2---------------.......... Client = ====== === 
close_notify alert: 
Alert: 
level: 81 
description: 00 
00000: 01 00 
Record layer message: 
type: 15 
version: 
major: 93 
тіпог: 03 
length: 0006 
fragment: F91FCD98F309 


00000: 15 03 03 00 06 Е9 ІҒ СО 98 ҒЗ 09 


ლ => => == == == но ення ЕЛІМЕН ee == 
close_notify alert: 
Alert: 
level: 81 
description: 90 
00000: 01 00 
Record layer message: 
type: 1115) 
version: 
major: 93 
тіпог: 03 
length: 0006 
fragment: 117B57AD5FED 


00000: 15 03 03 00 06 11 7B 57 AD 5Ғ ED 


Contributors 


Ekaterina Griboedova 
CryptoPro 
Email: griboedova.e.s@gmail.com 


Grigory Sedov 
CryptoPro 
Email: sedovgk@cryptopro.ru 


Smyshlyaev, et al. Informational Page 91 


КЕС 9189 GOST Cipher Suites for TLS 1.2 March 2022 


Dmitry Eremin-Solenikov 
Auriga 
Email: dbaryshkov@gmail.com 


Lidiia Nikiforova 
CryptoPro 
Email: nikiforova@cryptopro.ru 


Authors' Addresses 


Stanislav Smyshlyaev (EDITOR) 
CryptoPro 

18, Suschevsky val 

Moscow 

127018 

Russian Federation 

Phone: +7 (495) 995-48-20 

Email: svs@cryptopro.ru 


Dmitry Belyavskiy 
Cryptocom 

14/2, Kedrova St. 

Moscow 

117218 

Russian Federation 

Email: beldmit@gmail.com 


Evgeny Alekseev 

CryptoPro 

18, Suschevsky val 

Moscow 

127018 

Russian Federation 

Email: alekseev@cryptopro.ru 


Smyshlyaev, et al. Informational Page 92 


